CentOS - Jul 2021 - Auditing all Linux clients with centralised server

Hi,

I have 20 Linux servers in the network. Is there a way to audit all Linux
clients using a centralized server? For example, what commands are run by
John on Linuxnode1? Steve on Linuxnode15? and so on and so forth to
track user activity. Which files have been modified or edited or commands
etc...... by the users.

I have installed auditd, but it is local to the Linux server.
Thanks in advance.

Best Regards,

Kaushal

A cut-and-paste from my Wiki:

-------------------%<------------------------

Remote logging

Auditing, particularly from compute nodes, may be centralised to reduce 
the number of files needed to get a view of the cluster.
Server

The server machine must be configured to accept messages and must have a 
large enough logging area to store the records.

The server listens on port 60. Configure this as tcp_listen_port in 
/etc/audit/auditd.conf.

The server must only accept messages from a privileged port. If this is 
not done any userland process could inject nefarious messages. It is 
safe to configure the server to accept messages from any privileged 
port: tcp_client_ports=1-1023 in /etc/audit/auditd.conf.

On the server increase tcp_listen_queue to 16 to ensure enough requests 
for connections can be handled during a power-on bootup.

You will need to restart the daemon for these changes to come into effect.

Clients

The client machines may either forward messages at once or else batch 
them up in a queue. Generally machines with local storage should use the 
queue which preserves the log in the event of a crash.

You will need to restart the daemon for all these changes to come into 
effect: systemctl restart auditd.

Ensure the appropriate software and configuration is loaded: # yum 
install audisp-remote.
/etc/audisp/audisp-remote.conf

The client needs to know where, and to which port to send messages. As 
mentioned above, the client must send from a privileged port.

	remote_server=<server FQDN>
	port=60
	local_port=61

On diskless clients set mode=immediate, on other clients set 
mode=forward. Accept the defaults for queue_file and queue_depth.
/etc/audisp/plugins.d/au-remote.conf

By default the dispatcher is configured off, therefore remember to set

	active=yes

to turn on the remote logging.

/etc/audit/auditd.conf

Once you are happy with the logging, turn off the local copy. For CentOS 
C7.3 and later machines use:

	local_events = no
	log_format = RAW

------------------%<----------------------------

I have not tested this recently, it was last running (IIRC) on C6/7, so 
proceed with caution.

Regards,
Martin



On 09/07/2021 08:08, Kaushal Shriyan wrote:
> Hi,
> 
> I have 20 Linux servers in the network. Is there a way to audit all Linux
> clients using a centralized server? For example, what commands are run by
> John on Linuxnode1? Steve on Linuxnode15? and so on and so forth to
> track user activity. Which files have been modified or edited or commands
> etc...... by the users.
> 
> I have installed auditd, but it is local to the Linux server.
> Thanks in advance.
> 
> Best Regards,
> 
> Kaushal
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 
-- 
J Martin Rushton MBCS

Zitat von Kaushal Shriyan <kaushalshriyan at gmail.com>:
> Hi,
>
> I have 20 Linux servers in the network. Is there a way to audit all Linux
> clients using a centralized server? For example, what commands are run by
> John on Linuxnode1? Steve on Linuxnode15? and so on and so forth to
> track user activity. Which files have been modified or edited or commands
> etc...... by the users.
>
> I have installed auditd, but it is local to the Linux server.
> Thanks in advance.

Hallo,
what is about ansible for example.
Ralf