Contents
Configuring the event source server
The rsyslog service is used to transmit events from the server to the KUMA collector.
To configure transmission of events from the server to the collector:
- Make sure that the rsyslog service is installed on the event source server. For this purpose, execute the following command:
systemctl status rsyslog.serviceIf the rsyslog service is not installed on the server, install it by executing the following command:
yum install rsyslogsystemctl enable rsyslog.servicesystemctl start rsyslog.service - Edit the audit.service configuration file /etc/audit/auditd.conf and change the value of the
name_formatparameter toNONE:name_format=NONEAfter editing the settings, restart the auditd service:
sudo systemctl restart auditd.service - In the /etc/rsyslog.d directory, create the audit.conf file with the following content, depending on your protocol:
- To send events over TCP:
$ModLoad imfile$InputFileName /var/log/audit/audit.log$InputFileTag tag_audit_log:$InputFileStateFile audit_log$InputFileSeverity info$InputFileFacility local6$InputRunFileMonitor*.* @@<KUMA collector IP address>:<KUMA collector port>For example:*.* @@192.1.3.4:5858 To send events over UDP:$ModLoad imfile$InputFileName /var/log/audit/audit.log$InputFileTag tag_audit_log:$InputFileStateFile audit_log$InputFileSeverity info$InputFileFacility local6$InputRunFileMonitortemplate(name="AuditFormat" type="string" string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag% %msg%\n")*.* @<KUMA collector IP address>:<KUMA collector port>For example:*.* @192.1.3.4:5858;AuditFormat
- To send events over TCP:
- Save the changes to the audit.conf file.
- Restart the rsyslog service by executing the following command:
systemctl restart rsyslog.service
The event source server is configured. Data about events is transmitted from the server to the KUMA collector.
Page top