Collect Linux auditd and Unix system logs

Supported in:

Google SecOps SIEM

This document describes how to collect audit daemon (auditd) and Unix system logs, and use the Google SecOps forwarder to ingest logs to Google SecOps.

The procedures in this document have been tested on Debian 11.7 and Ubuntu 22.04 LTS (Jammy Jellyfish).

Collect logs from auditd and syslog

You can configure the Linux hosts to send auditd logs to a Google SecOps forwarder by using rsyslog.

Deploy the audit daemon and the audit dispatching framework by running the following command. If you have already deployed the daemon and framework, you can skip this step.
```
apt-get install auditd audispd-plugins
```
To enable logging of all commands, which include the user and root, add the following lines to /etc/audit/rules.d/audit.rules:
```
-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve
```
Note: If you have enabled Google SecOps Linux Threats curated detections, ensure that you're using the appropriate auditd configuration.
Restart auditd by running the following command:
```
service auditd restart
```

Configure Google SecOps forwarder for auditd

On the Google SecOps forwarder, specify the following data type:

  - syslog:
    common:
      enabled: true
      data_type: AUDITD
      batch_n_seconds:
      batch_n_bytes:
    tcp_address:
    connection_timeout_sec:

For more information, see Install and configure the Google SecOps forwarder on Linux.

Configure syslog

Verify that the parameters in the /etc/audisp/plugins.d/syslog.conf file match the following values:

active = yes
direction = out
path = /sbin/audisp-syslog
type = always
args = LOG_LOCAL6
format = string

Modify or create the /etc/rsyslog.d/50-default.conf file and add the following line at the end of the file:
```
local6.* @@FORWARDER_IP:PORT
```
Replace FORWARDER_IP and PORT with the IP address and port of your forwarder. The first column indicates which logs are sent from /var/log over rsyslog. The @@ in the second column indicates that TCP is used to send the message. To use UDP, use one @.
To disable local logging to syslog, configure rsyslog by adding local6.none to the line that configures what is logged to local syslog. The file differs for each OS. For Debian the file is /etc/rsyslog.conf, and for Ubuntu the file is /etc/rsyslog.d/50-default.conf:
```
*.*;local6.none;auth,authpriv.none              -/var/log/syslog
```

Restart the following services:

service auditd restart
service rsyslog restart

Collect Unix systems logs

Create or modify the /etc/rsyslog.d/50-default.conf file and add the following line at the end of the file:
```
*.*   @@FORWARDER_IP:PORT
```
Replace FORWARDER_IP and PORT with the IP address of your forwarder. The first column indicates which logs are sent from /var/log over rsyslog. The @@ in the second column indicates that TCP is used to send the message. To use UDP, use one @.
Run the following command to restart the daemon and load the new config:
```
sudo service rsyslog restart
```

Configure Google SecOps forwarder for Unix logs

On the Google SecOps forwarder, specify the following data type:

  - syslog:
    common:
      enabled: true
      data_type: NIX_SYSTEM
      batch_n_seconds:
      batch_n_bytes:
    tcp_address:
    connection_timeout_sec:

For more information, see Install and configure the Google SecOps forwarder on Linux.