This document describes how to collect audit daemon (auditd) and Unix system logs,
and use the Google Security Operations forwarder to ingest logs to Google SecOps.
The procedures in this document have been tested on Debian 11.7 and Ubuntu 22.04 LTS (Jammy Jellyfish).
Collect logs from auditd and syslog
You can configure the Linux hosts to send auditd logs to a Google SecOps
forwarder by using rsyslog.
Deploy the audit daemon and the audit dispatching framework by running the following command.
If you have already deployed the daemon and framework, you can skip this step.
apt-get install auditd audispd-plugins
To enable logging of all commands, which include the user and root, add the following
lines to /etc/audit/rules.d/audit.rules:
-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve
Restart auditd by running the following command:
service auditd restart
Configure Google SecOps forwarder for auditd
On the Google SecOps forwarder, specify the following data type:
Modify or create the /etc/rsyslog.d/50-default.conf file and add the following line at the end of the file:
local6.* @@FORWARDER_IP:PORT
Replace FORWARDER_IP and PORT
with the IP address and port of your forwarder. The first column indicates which
logs are sent from /var/log over rsyslog. The @@ in the second column indicates
that TCP is used to send the message. To use UDP, use one @.
To disable local logging to syslog, configure rsyslog by adding local6.none
to the line that configures what is logged to local syslog. The file differs for each
OS. For Debian the file is /etc/rsyslog.conf, and for Ubuntu the file is
/etc/rsyslog.d/50-default.conf:
Create or modify the /etc/rsyslog.d/50-default.conf file and add the following line at the end of the file:
*.* @@FORWARDER_IP:PORT
Replace FORWARDER_IP and PORT with the IP address of your forwarder.
The first column indicates which logs are sent from /var/log over rsyslog. The @@
in the second column indicates that TCP is used to send the message. To use UDP, use one @.
Run the following command to restart the daemon and load the new config:
sudo service rsyslog restart
Configure Google SecOps forwarder for Unix logs
On the Google SecOps forwarder, specify the following data type:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["Collect Linux auditd and Unix system logs \nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nThis document describes how to collect audit daemon (auditd) and Unix system logs,\nand use the Google Security Operations forwarder to ingest logs to Google SecOps.\n\nThe procedures in this document have been tested on Debian 11.7 and Ubuntu 22.04 LTS (Jammy Jellyfish).\n\nCollect logs from auditd and syslog\n\nYou can configure the Linux hosts to send auditd logs to a Google SecOps\nforwarder by using rsyslog.\n\n1. Deploy the audit daemon and the audit dispatching framework by running the following command.\n If you have already deployed the daemon and framework, you can skip this step.\n\n apt-get install auditd audispd-plugins\n\n2. To enable logging of all commands, which include the user and root, add the following\n lines to `/etc/audit/rules.d/audit.rules`:\n\n -a exit,always -F arch=b64 -S execve\n -a exit,always -F arch=b32 -S execve\n\n | **Note:** If you have enabled Google SecOps [Linux Threats curated detections](/chronicle/docs/detection/linux-threats-category), ensure that you're using the appropriate auditd configuration.\n3. Restart auditd by running the following command:\n\n service auditd restart\n\nConfigure Google SecOps forwarder for auditd\n\nOn the Google SecOps forwarder, specify the following data type: \n\n - syslog:\n common:\n enabled: true\n data_type: AUDITD\n batch_n_seconds:\n batch_n_bytes:\n tcp_address:\n connection_timeout_sec:\n\nFor more information, see [Install and configure the Google SecOps forwarder on Linux](/chronicle/docs/install/forwarder-linux).\n\nConfigure syslog\n\n1. Verify that the parameters in the `/etc/audisp/plugins.d/syslog.conf` file match the following values:\n\n active = yes\n direction = out\n path = /sbin/audisp-syslog\n type = always\n args = LOG_LOCAL6\n format = string\n\n2. Modify or create the `/etc/rsyslog.d/50-default.conf` file and add the following line at the end of the file:\n\n local6.* @@\u003cvar translate=\"no\"\u003eFORWARDER_IP\u003c/var\u003e:\u003cvar translate=\"no\"\u003ePORT\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eFORWARDER_IP\u003c/var\u003e and \u003cvar translate=\"no\"\u003ePORT\u003c/var\u003e\n with the IP address and port of your forwarder. The first column indicates which\n logs are sent from `/var/log` over rsyslog. The `@@` in the second column indicates\n that TCP is used to send the message. To use UDP, use one `@`.\n3. To disable local logging to syslog, configure rsyslog by adding `local6.none`\n to the line that configures what is logged to local syslog. The file differs for each\n OS. For Debian the file is `/etc/rsyslog.conf`, and for Ubuntu the file is\n `/etc/rsyslog.d/50-default.conf`:\n\n *.*;local6.none;auth,authpriv.none -/var/log/syslog\n\n4. Restart the following services:\n\n ```\n service auditd restart\n service rsyslog restart\n ```\n\n \u003cbr /\u003e\n\nCollect Unix systems logs\n\n1. Create or modify the `/etc/rsyslog.d/50-default.conf` file and add the following line at the end of the file:\n\n *.* @@\u003cvar translate=\"no\"\u003eFORWARDER_IP\u003c/var\u003e:\u003cvar translate=\"no\"\u003ePORT\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eFORWARDER_IP\u003c/var\u003e and \u003cvar translate=\"no\"\u003ePORT\u003c/var\u003e with the IP address of your forwarder.\n The first column indicates which logs are sent from `/var/log` over rsyslog. The `@@`\n in the second column indicates that TCP is used to send the message. To use UDP, use one `@`.\n2. Run the following command to restart the daemon and load the new config:\n\n ```\n sudo service rsyslog restart\n ```\n\nConfigure Google SecOps forwarder for Unix logs\n\nOn the Google SecOps forwarder, specify the following data type: \n\n - syslog:\n common:\n enabled: true\n data_type: NIX_SYSTEM\n batch_n_seconds:\n batch_n_bytes:\n tcp_address:\n connection_timeout_sec:\n\nFor more information, see [Install and configure the Google SecOps forwarder on Linux](/chronicle/docs/install/forwarder-linux).\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
