rsyslog.conf:
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag Auditd
$InputFileStateFile /var/spool/rsyslog
$InputFileFacility local4
$InputRunFileMonitor
local4.* @@127.0.0.1:15514
Two things remain an issue for me. I need to figure out the SELinux context needed to allow rsyslog into /var/log/audit:
Code: Select all
OSSEC HIDS Notification.
2015 Apr 29 17:10:15
Received From: graylog->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Apr 29 17:10:13 graylog Auditd node=xxx.xxx.xxx.gov type=AVC msg=audit(1430352603.306:2871): avc: denied { read } for pid=1128 comm="rsyslogd" path="/var/log/audit/audit.log" dev=dm-3 ino=20971532 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file
--END OF NOTIFICATION
OSSEC HIDS Notification.
2015 Apr 29 17:10:15
Received From: graylog->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Apr 29 17:10:13 graylog Auditd node=xxx.xxx.xxx.gov type=AVC msg=audit(1430352603.306:2872): avc: denied { getattr } for pid=1128 comm="rsyslogd" path="/var/log/audit/audit.log" dev=dm-3 ino=20971532 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file
I would like to switch the log collector back to SELinux enforcing, as per the federal security guidelines. But this must be resolved first.