Ship auditd logs

As its name suggests, auditd is a service that audits activities in a Linux environment. It’s available for most major Linux distributions.

This page gives instructions for replacing auditd with Auditbeat so you can easily ship your audit logs to Logz.io.

Configuration

Before you begin, you’ll need: auditd, root access

Download the Logz.io certificate

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

sudo wget https://raw.githubusercontent.com/logzio/public-certificates/master/COMODORSADomainValidationSecureServerCA.crt -P /etc/pki/tls/certs/

Install Auditbeat

Download and install Auditbeat 6.8.

Copy auditd rules

You need root privileges to interact with the auditd rules file.

Create a new audit.rules file to hold your audit rules for Auditbeat:

sudo touch /etc/auditbeat/audit.rules.d/audit.rules

Copy the auditd rules to your newly created Auditbeat rules file:

sudo su
cat /etc/audit/rules.d/audit.rules > /etc/auditbeat/audit.rules.d/audit.rules
exit

Add auditd as a source input

Open the Auditbeat configuration file (/etc/auditbeat/auditbeat.yml).

Paste this code block at the top of the file.

Replace <<SHIPPING-TOKEN>> with the token of the account you want to ship to.

# ...
fields:
  type: auditd
  logzio_codec: json
  token: <<SHIPPING-TOKEN>>
fields_under_root: true

processors:
- rename:
    fields:
    - from: "agent"
      to: "beat_agent"
    ignore_missing: true
- rename:
    fields:
    - from: "log.file.path"
      to: "source_auditd"
    ignore_missing: true

Configure Auditbeat to use the new rules file

In the auditbeat.modules object, find the auditd module.

Replace the audit_rule_files array with this:

audit_rule_files: [ '/etc/auditbeat/audit.rules.d/audit.rules' ]

Set Logz.io as the output

Remove the output section in the configuration, and replace it with this code block.

Replace <<LISTENER-HOST>> with your region’s listener host (for example, listener.logz.io). For more information on finding your account’s region, see Account region.

# ...
output.logstash:
  hosts: ["<<LISTENER-HOST>>:5015"]
  ssl:
    certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

Start Auditbeat

Stop auditd, and then start Auditbeat.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Kibana.

If you still don’t see your logs, see log shipping troubleshooting.