# Auditdistd to remote syslog



## spybsd (Jul 16, 2014)

Hello,

I'm trying to forward my audit trail through auditdistd to a remote syslog server which is running our SIEM environment. Has anyone already managed to forward audit information to syslog using auditdistd? Below configuration in place:

/etc/security/auditdistd.conf

```
sender {
        host "syslog" {
                remote "1.2.3.4:514"
        }
}
```

/etc/security/audit_control


```
dir:/var/audit
dist:on
flags:lo,aa,ad,fc,fd,fw,ex
minfree:5
naflags:lo,aa
policy:cnt,argv
filesz:2M
expire-after:10M
```

/etc/security/audit_user

```
root:lo,ad,ex:no
user1:lo,fc,ad,fw,fd,ex:no
user2:lo,fc,ad,fw,fd,ex:no
```

/etc/rc.conf contains both audit_enable and auditdistd_enable. However I'm never getting any audit trails forwarded to the syslog.

`praudit` shows a working configuration:

```
praudit /var/audit/current
header,56,11,audit startup,0,Wed Jul 16 10:09:06 2014, + 276 msec
text,auditd::Audit startup
return,success,0
trailer,56
```

Any insights are more than welcome.


----------



## SirDice (Jul 16, 2014)

The auditdistd(8) doesn't send syslog messages because those are insecure. It requires a auditdistd(8) at the listening end. 

From auditdistd.conf(5):

```
remote <addr>

           Address of the remote auditdistd daemon.  Format is the same as for
           the listen statement.  When operating in the sender mode this
           address will be used to connect to the receiver.  When operating in
           the receiver mode only connections from this address will be
           accepted.
```

Note that remote is used to send data to a remote auditdistd(8), not syslog.


----------



## spybsd (Jul 16, 2014)

Do you think it could be achieved using a trick like this:


```
praudit /var/audit/current |logger-t audits -p local0.info
```


----------



## SirDice (Jul 16, 2014)

Sure but you have to realize that syslog is very insecure. It's UDP and quite easily spoofed. That's not something you want to deal with when you rely on audit data.


----------



## spybsd (Jul 16, 2014)

That's the downside *I* agree but *I* have no choice, as *I* have to comply to a security standard that require*s* all audit trails generated on the information system to be sent to a central logging system. Last but not least IS is heterogenous and *I* have to deal with BSD, Linux, and Windows environments.

Anyway *I* tried the logger trick, it works, but it sends me the whole output of `praudit` each time *I* run the command. I would like to have only new event, so *I* keep trying things 

If you guys have any ideas on how *I* can work around this limitation, feel free!


----------



## junovitch@ (Jul 17, 2014)

spybsd said:
			
		

> That's the downside *I* agree but *I* have no choice, as *I* have to comply to a security standard that require*s* all audit trails generated on the information system to be sent to a central logging system. Last but not least IS is heterogenous and *I* have to deal with BSD, Linux, and Windows environments.
> 
> Anyway *I* tried the logger trick, it works, but it sends me the whole output of `praudit` each time *I* run the command. I would like to have only new event, so *I* keep trying things
> 
> If you guys have any ideas on how *I* can work around this limitation, feel free!



Can you set up a VM or separate physical machine directly connected to your current central logging system?  Use the VM or separate system running FreeBSD and auditdistd to receive audit logs securely then redistribute using a less secure means over a directly connected or local interface where the risk are lower.  That seems like it might meet the intent of the rule and at least do it mostly securely.


----------



## freethread (Jul 17, 2014)

I don't have a solution to your problem, but I set my modem/router to send syslog messages to FreeBSD server. I had to add this line in rc.conf in order the server accept messages


```
syslogd_flags="-a 1.2.3.0/24:* -b 1.2.3.1"
```

where the -a flag is the network segment where the router is part of (using the asterisc ':*' is mandatory, don't ask me why, I set it to 514 but it does not work, or I made a mistake) and the -b flag is the FreeBSD server address (binding address not the router address).

Using host names does not work, I invastigated and found that BIND starts after syslog, so if the host names are local names, managed by the DNS on the same machine, they will not be resolved. I hope this help.


----------



## spybsd (Jul 18, 2014)

Thanks for your replies.
Sure I can add a separate machine to gather  auditdistd events.
However I would still have the forward to syslog issue.

I'm now looking in a nice way to only forward new audit records from the /var/audit/current.
The output of `praudit` I sent through the `logger` trick contains the whole events...

If you have an idea on how this could be achieved?


----------



## spybsd (Jul 18, 2014)

Few more information:

I think i'm quite close to achieve the needed behaviour.
Currently I'm using the following solution to forward newest audit trails to the syslog:


```
root@static-host:~ # praudit /dev/auditpipe | logger -t static_host_audits -h 1.2.3.4
```

Do you guys think this could be easily daemonize ?


----------



## SirDice (Jul 18, 2014)

spybsd said:
			
		

> Sure I can add a separate machine to gather  auditdistd events.
> However I would still have the forward to syslog issue.


You could send the events to that server using auditdistd(8) and use the _local_ syslog of that machine to pass the messages on. That way there would be less risk of the audit data being modified before it gets sent to the central server.


----------



## spybsd (Jul 21, 2014)

Hereunder what i finally put in place to solve my issue.
Maybe not the most fashion way to do it, but a tleast it's working as desired.

I have created a simple rc script that can be found below:

/usr/local/etc/rc.d/audit2syslog


```
#!/bin/sh

# 
#
# PROVIDE: audit2syslog
# REQUIRE: Kernel AUDIT option 1
# 
# 
#
# Add the following lines to /etc/rc.conf to enable audit2syslog:
#
# audit2syslog_enable="YES"
#
#
# audit2syslog_flags=""
# Value -t (tag) -h (host) -p (facility)

. /etc/rc.subr

name=audit2syslog
rcvar=audit2syslog_enable

load_rc_config $name

command=/usr/sbin/praudit

start_cmd=${name}_start
stop_cmd=${name}_stop

audit2syslog_start()
{
       /usr/sbin/praudit -l /dev/auditpipe | logger ${audit2syslog_flags} &
}

audit2syslog_stop()
{

                PID=`pgrep praudit`
                kill -s HUP $PID
}

run_rc_command "$1"
```

The following content has been added to /etc/rc.conf


```
auditd_enable="YES"
audit2syslog_enable="YES"
audit2syslog_flags="-t your_tag -h your_host -p your facility"
```

Most of my critical machines are in a non internet facing DMZ, that's why i choose this way.
For web facing server, i will use the solution proposed by SirDice to keep the audit log integrity.


----------

