NetWitness Community

YulianaCorzo · ‎2019-01-31

Hi, I configured my RHEL 7.4 with the Event source configuration guide and i've followed your procedure, but I doesn't work, The device doesn't send the auditd service by rsyslog. Is there any issues with RHEL 7.4 to apply?

We have full comunication to the RSA collectors, FW ports are opened.

AkramHamed · ‎2019-01-31

Hi Yuliana,

What did you put in the rsyslog.conf file?

YulianaCorzo · ‎2019-01-31

Hi Akram.

Thanks for your help.

We put this configuration: *.debug @172.18.53.23

and then service rsyslog restart.

In /etc/audit/auditd.conf, we changes the dispatcher attribute to /sbin/audispd and restart the auditd service

In /etc/audisp/plugins.d/syslog.conf we changed the active = yes.

Regards,

AkramHamed · ‎2019-01-31

Hi Yuliana,

Am not sure the audit logs have a debug severity.

A good work around though, is to change the facility in /etc/audisp/plugins.d/syslog.conf , change "args = LOG_INFO” to any unique facility , maybe LOG_LOCAL4 in your case.

Once done, append the below line to /etc/rsyslog.conf

LOG_LOCAL4.* @10.10.10.10:514

Where 10.10.10.10 is the IP of your log decoder.

SteveFink · ‎2019-01-31

Yuliana,

Please try adding the port number after the IP address:

Example: *.debug @172.18.53.23:514

This example will send the logs via UDP if you want to send the logs via TCP you would simply add another @ sign

Example: *.debug @@172.18.53.23:514

Best,

Steve

YulianaCorzo · ‎2019-01-31

Thanks Steve.. It's resolved

NetWitness Community

Rsyslog problem with RHEL 7.4