Kaspersky Next XDR Expert
1.2

Contents

Configuring receipt of Auditd events

KUMA lets you monitor and audit the Auditd events on Linux devices.

Before configuring event receiving, make sure to create a new KUMA collector for the Auditd events.

Configuring the receipt of Auditd events proceeds in stages:

  1. Configuring the KUMA collector for receiving Auditd events.
  2. Configuring the event source server.
  3. Verifying receipt of Auditd events by the KUMA collector.

    You can verify that the Auditd event source server is configured correctly by searching for related events in the KUMA Console.

In this section

Configuring the KUMA collector for receiving Auditd events

Configuring the event source server
Page top
[Topic 239760]

Configuring the KUMA collector for receiving Auditd events

At the Transport step, make the Auditd option active.

After creating a collector, in order to configure event receiving using rsyslog, you must install a collector on the network infrastructure server intended for receiving events.

For details on installing the KUMA collector, refer to the Installing collector in the network infrastructure section.

Page top
[Topic 239795]

Configuring the event source server

The rsyslog service is used to transmit events from the server to the KUMA collector.

To configure transmission of events from the server to the collector:

  1. Make sure that the rsyslog service is installed on the event source server. For this purpose, execute the following command:

    systemctl status rsyslog.service

    If the rsyslog service is not installed on the server, install it by executing the following command:

    yum install rsyslog

    systemctl enable rsyslog.service

    systemctl start rsyslog.service

  2. Edit the audit.service configuration file /etc/audit/auditd.conf and change the value of the name_format parameter to NONE:

    name_format=NONE

    After editing the settings, restart the auditd service:

    sudo systemctl restart auditd.service

  3. In the /etc/rsyslog.d directory, create the audit.conf file with the following content, depending on your protocol:
    • To send events over TCP:

      $ModLoad imfile

      $InputFileName /var/log/audit/audit.log

      $InputFileTag tag_audit_log:

      $InputFileStateFile audit_log

      $InputFileSeverity info

      $InputFileFacility local6

      $InputRunFileMonitor

      *.* @@<KUMA collector IP address>:<KUMA collector port>

      For example:

      *.* @@192.1.3.4:5858

    • To send events over UDP:

      $ModLoad imfile

      $InputFileName /var/log/audit/audit.log

      $InputFileTag tag_audit_log:

      $InputFileStateFile audit_log

      $InputFileSeverity info

      $InputFileFacility local6

      $InputRunFileMonitor

      template(name="AuditFormat" type="string" string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag% %msg%\n")

      *.* @<KUMA collector IP address>:<KUMA collector port>

      For example:

      *.* @192.1.3.4:5858;AuditFormat

  4. Save the changes to the audit.conf file.
  5. Restart the rsyslog service by executing the following command:

    systemctl restart rsyslog.service

The event source server is configured. Data about events is transmitted from the server to the KUMA collector.

Page top
[Topic 239849]