How to send Audit Logs to Remote Rsyslog Server in CentOS/RHEL 6,7?

 The following are the steps for direct audit logs of a remote rsyslog server on a CentOS/RHEL 6,7 Server.

Server Side Configuration

Perform these steps to set up the syslog server:

1. Uncomment the following lines in the MODULES section of /etc/rsyslog.conf:

# vi /etc/rsyslog.conf
$ModLoad imtcp
$InputTCPServerRun 514

If you are using UDP then uncomment following lines:

# vi /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514

2. Configure the rsyslog server to recieve rsyslog events from client. To receive audit logs from client servers, add below lines in the /etc/rsyslog.conf file:

# vi /etc/rsyslog.conf
$template HostAudit, "/var/log/rsyslog/%HOSTNAME%/audit_log"
local6.* ?HostAudit

3. Restart the rsyslog service.

# service rsyslog restart       ### CentOS/RHEL 6
# systemctl restart rsyslog     ### CentOS/RHEL 7

Client Side configuration

1. Take the backup of the existing /etc/rsyslog.conf.

# cp /etc/rsyslog.conf /etc/rsyslog.conf.bkp

2. Append the following rules to the /etc/rsyslog.conf file for directing the logs to central rsyslog server. “imfile” module has to be loaded on the rsyslogd, otherwise the configuration for directing the auditd log won’t work.

# vi /etc/rsyslog.conf
#audit log
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor

*.*                                      @[serverip]      ### Add rsyslog server IP here

Make sure you replace @[serverip] with your rsyslog server IP address.

3. Restart the rsyslog service for the changes to take effect.

# service rsyslog restart       ### CentOS/RHEL 6
# systemctl restart rsyslog     ### CentOS/RHEL 7