A cut-and-paste from my Wiki:
-------------------%<------------------------
Remote logging
Auditing, particularly from compute nodes, may be centralised to reduce
the number of files needed to get a view of the cluster.
Server
The server machine must be configured to accept messages and must have a
large enough logging area to store the records.
The server listens on port 60. Configure this as tcp_listen_port in
/etc/audit/auditd.conf.
The server must only accept messages from a privileged port. If this is
not done any userland process could inject nefarious messages. It is
safe to configure the server to accept messages from any privileged
port: tcp_client_ports=1-1023 in /etc/audit/auditd.conf.
On the server increase tcp_listen_queue to 16 to ensure enough requests
for connections can be handled during a power-on bootup.
You will need to restart the daemon for these changes to come into effect.
Clients
The client machines may either forward messages at once or else batch
them up in a queue. Generally machines with local storage should use the
queue which preserves the log in the event of a crash.
You will need to restart the daemon for all these changes to come into
effect: systemctl restart auditd.
Ensure the appropriate software and configuration is loaded: # yum
install audisp-remote.
/etc/audisp/audisp-remote.conf
The client needs to know where, and to which port to send messages. As
mentioned above, the client must send from a privileged port.
remote_server=<server FQDN>
port=60
local_port=61
On diskless clients set mode=immediate, on other clients set
mode=forward. Accept the defaults for queue_file and queue_depth.
/etc/audisp/plugins.d/au-remote.conf
By default the dispatcher is configured off, therefore remember to set
active=yes
to turn on the remote logging.
/etc/audit/auditd.conf
Once you are happy with the logging, turn off the local copy. For CentOS
C7.3 and later machines use:
local_events = no
log_format = RAW
------------------%<----------------------------
I have not tested this recently, it was last running (IIRC) on C6/7, so
proceed with caution.
Regards,
Martin
On 09/07/2021 08:08, Kaushal Shriyan wrote:
Hi,
I have 20 Linux servers in the network. Is there a way to audit all Linux
clients using a centralized server? For example, what commands are run by
John on Linuxnode1? Steve on Linuxnode15? and so on and so forth to
track user activity. Which files have been modified or edited or commands
etc...... by the users.
I have installed auditd, but it is local to the Linux server.
Thanks in advance.
Best Regards,
Kaushal
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
--
J Martin Rushton MBCS
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
