9.1.1.10. Centralized Management of Planned Audit Record Content¶
SIMP centrally controls what audit events are recorded on the clients. The SIMP module controls which of the those events are sent to local syslog daemon so that they may be optionally forwarded to a central syslog server. The following orthogonal list contains the conditions to be met for the SIMP logs to be sent to syslog.
$programname == ‘tlog-rec-session’
$programname == ‘tlog’
$programname ==’yum’
$syslogfacility-text == ‘cron’
$syslogfacility-text == ‘authpriv’
$syslogfacility-text == ‘local5’
$syslogfacility-text == ‘local6
$syslogfacility-text == ‘local7’
$syslogpriority-text == ‘emerg’
$syslogfacility-text == ‘kern’ and $msg startswith ‘IPT:’
SIMP also has a stock rsyslog module which is able to configure an
rsyslog
server for centralized collection. The stock rsyslog
server
configures the rsyslog
daemon to accept logs from SIMP clients and places
them in /var/log/hosts/
. The following files are created for each host in
that directory:
tlog.log
httpd.log
dhcpd.log
puppet-agent-err.log
puppet-agent.log
puppet-master.log
audit.log
slapd.log
iptables.log
secure.log
messages.log
maillog.log
cron.log
spooler.log
boot.log
References: AU-3 (2) : CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT, AU-13 (2) : REVIEW OF MONITORED SITES, AU-6 (4) : CENTRAL REVIEW AND ANALYSIS