Return to
Portfolio

109.17. Linux Audit System (im_linuxaudit)

With this module, NXLog can set up Audit rules and collect the resulting logs directly from the kernel without requiring auditd or other userspace software. If the auditd service is installed, it must not be running.

Rules must be provided using at least one of the LoadRule and Rules directives. Rules should be specified using the format documented in the Defining Persistent Audit Rules section of the Red Hat Enterprise Linux Security Guide.

The -e control rule should be included in the ruleset to enable the Audit system (as -e 1 or -e 2). Rules are not automatically removed, either before applying a ruleset or when NXLog exits. To clear the current ruleset before setting rules, begin the ruleset with the -D rule. If the Audit configuration is locked when im_linuxaudit starts, NXLog will print a warning and collect events generated by the active ruleset.

Warning
It is recommended that FlowControl be disabled for im_linuxaudit module instances. If the im_linuxaudit module instance is suspended and the Audit backlog limit is exceeded, all processes that generate Audit messages will be blocked.

109.17.1. Configuration

The im_linuxaudit module accepts the following directives in addition to the common module directives. At least one of LoadRule and Rules must be specified.

LoadRule

Use this directive to load a ruleset from an external rules file. This directive can be used more than once. Wildcards can be used to read rules from multiple files.

Rules

This directive, specified as a block, can be used to provide Audit rules directly from the NXLog configuration file. The following control rules are supported: -b, -D, -e, -f, -r, --loginuid-immutable, --backlog_wait_time, and --reset-lost; see auditctl(8) for more information.

Include

This directive can be used inside a Rules block to read rules from a separate file. Like the LoadRule directive, wildcards are supported.


LockConfig

If this boolean directive is set to TRUE, NXLog will lock the Audit system configuration after the rules have been set. It will not be possible to modify the Audit configuration until after a reboot. The default is FALSE: the Audit configuration will not be locked.

109.17.2. Examples

Example 555. Collecting Audit Logs With LoadRule Directive

This configuration uses a set of external rule files to configure the Audit system.

nxlog.conf [Download file]
1
2
3
4
5
<Input audit>
    Module      im_linuxaudit
    FlowControl FALSE
    LoadRule    'im_linuxaudit_*.rules'
</Input>
Example 556. Collecting Audit Logs With Rules Block

This configuration lists the rules inside the NXLog configuration file instead of using a separate Audit rules file.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
<Input audit>
    Module      im_linuxaudit
    FlowControl FALSE
    <Rules>
        # Watch /etc/passwd for modifications and tag with 'passwd'
        -w /etc/passwd -p wa -k passwd
    </Rules>
</Input>