9.1.1.10. Centralized Management of Planned Audit Record Content

SIMP centrally controls what audit events are recorded on the clients. The SIMP module controls which of the those events are sent to local syslog daemon so that they may be optionally forwarded to a central syslog server. The following orthogonal list contains the conditions to be met for the SIMP logs to be sent to syslog.

• $programname == ‘tlog-rec-session’

• $programname == ‘tlog’

• $programname ==’yum’

• $syslogfacility-text == ‘cron’

• $syslogfacility-text == ‘authpriv’

• $syslogfacility-text == ‘local5’

• $syslogfacility-text == ‘local6

• $syslogfacility-text == ‘local7’

• $syslogpriority-text == ‘emerg’

• $syslogfacility-text == ‘kern’ and $msg startswith ‘IPT:’

SIMP also has a stock rsyslog module which is able to configure an rsyslog server for centralized collection. The stock rsyslog server configures the rsyslog daemon to accept logs from SIMP clients and places them in /var/log/hosts/. The following files are created for each host in that directory:

• tlog.log

• httpd.log

• dhcpd.log

• puppet-agent-err.log

• puppet-agent.log

• puppet-master.log

• audit.log

• slapd.log

• iptables.log

• secure.log

• messages.log

• maillog.log

• cron.log

• spooler.log

• boot.log

References: AU-3 (2) : CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT, AU-13 (2) : REVIEW OF MONITORED SITES, AU-6 (4) : CENTRAL REVIEW AND ANALYSIS