With properly configured audit'ing rules, Unix machines are capable of providing a wealth of data regarding your users activity. Using a Syslog configuration it'll only take a minute to get your logs into the cloud.
You'll need a new config file in order to store all of the configuration settings relating to auditing, we named it "02-unix-audit.conf"
sudo vi /etc/rsyslog.d/02-unix-audit.conf2) Update your config file
Below is the config file for transferring your audit logs to the cloud via syslog, make sure to change the security token to reflect your own found on the account management page.
$InputFilePollInterval 10 $PrivDropToGroup adm $WorkDirectory /var/spool/rsyslog # Apache access file: $InputFileName /var/log/audit/audit.log $InputFileTag unix-audit: $InputFileStateFile stat-unix-audit $InputFileSeverity info $InputFilePersistStateInterval 20000 $InputRunFileMonitor #Add a tag for audit events $template UnixAudit,"LOGSCAPETOKEN:YOUR_SECURITY_TOKEN_HERE LOGSCAPETAG:unix-audit <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% %msg%" if $programname == 'unix-audit' then @@collector.logscape.com:1468;UnixAudit if $programname == 'unix-audit' then ~
You'll also need to make sure your rsyslog.conf loads imfile with the line
$ModLoad imfile3) Restart Syslog
You'll need to restart your syslog daemon in order for the changes to take effect.
sudo service restart rsyslog4) Permissions
By default the audit.log, and the directory that contains it can only be accessed by root, permissions will have to be changed in order to allow syslog read permissions for the directory and file.