Collect Linux auditd and Unix system logs

Supported in:

Google secops SIEM

This document describes how to collect audit daemon (auditd) and Unix system logs, and use the Google Security Operations forwarder to ingest logs to Google SecOps.

The procedures in this document have been tested on Debian 11.7 and Ubuntu 22.04 LTS (Jammy Jellyfish).

Collect logs from auditd and syslog

You can configure Linux hosts to send auditd logs to a Google SecOps forwarder by using rsyslog.

Deploy the audit daemon and the audit dispatching framework:
```
apt-get install auditd audispd-plugins
```
If you have already deployed the daemon and framework, skip this step.
Enable logging of all commands (including user and root) by adding the following lines to /etc/audit/rules.d/audit.rules:
```
-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve
```
Note: If you enabled Google SecOps Linux Threats curated detections, make sure you're using the appropriate auditd configuration.
Restart auditd:
```
service auditd restart
```

Configure Google SecOps forwarder for auditd

On the Google SecOps forwarder, specify the following data type:

  - syslog:
    common:
      enabled: true
      data_type: AUDITD
      batch_n_seconds:
      batch_n_bytes:
    tcp_address:
    connection_timeout_sec:

For more information, see Install and configure the Google SecOps forwarder on Linux.

Configure syslog

Verify that the parameters in the /etc/audisp/plugins.d/syslog.conf file match the following values:

active = yes
direction = out
path = /sbin/audisp-syslog
type = always
args = LOG_LOCAL6
format = string

Modify or create the /etc/rsyslog.d/50-default.conf file and add the following line at the end of the file:
```
local6.* @@FORWARDER_IP:PORT
```
Replace <var>FORWARDER_IP</var> and <var>PORT</var> with the IP address and port of your forwarder.
- The first column indicates which logs are sent from /var/log over rsyslog.
- The @@ indicates that TCP is used to send the message. To use UDP, use one @.
Disable local logging to syslog: Add local6.none to the line that configures local syslog logging. The path varies by OS:
- Debian: /etc/rsyslog.conf
- Ubuntu: /etc/rsyslog.d/50-default.conf
```
*.*;local6.none;auth,authpriv.none              -/var/log/syslog
```

Restart the following services:

service auditd restart
service rsyslog restart

Collect Unix systems logs

Create or modify the /etc/rsyslog.d/50-default.conf file and add the following line at the end of the file:
```
*.* @@FORWARDER_IP:PORT
```
Replace <var>FORWARDER_IP</var> and <var>PORT</var> with the IP address and port of your forwarder.
Run the following command to restart the daemon and load the new config:
```
sudo service rsyslog restart
```

Configure Google SecOps forwarder for Unix logs

On the Google SecOps forwarder, specify the following data type:

  - syslog:
    common:
      enabled: true
      data_type: NIX_SYSTEM
      batch_n_seconds:
      batch_n_bytes:
    tcp_address:
    connection_timeout_sec:

For more information, see Install and configure the Google SecOps forwarder on Linux.

Need more help? Get answers from Community members and Google SecOps professionals.