Configuring the event source server

The rsyslog service is used to transmit events from the server to the KUMA collector.

To configure transmission of events from the server to the collector:

Make sure that the rsyslog service is installed on the event source server. For this purpose, execute the following command:
systemctl status rsyslog.service

If the rsyslog service is not installed on the server, install it by executing the following command:

yum install rsyslog

systemctl enable rsyslog.service

systemctl start rsyslog.service
Edit the audit.service configuration file /etc/audit/auditd.conf and change the value of the name_format parameter to NONE:
name_format=NONE

After editing the settings, restart the auditd service:

sudo systemctl restart auditd.service
In the /etc/rsyslog.d directory, create the audit.conf file with the following content, depending on your protocol:
- To send events over TCP:
  $ModLoad imfile
  
  $InputFileName /var/log/audit/audit.log
  
  $InputFileTag tag_audit_log:
  
  $InputFileStateFile audit_log
  
  $InputFileSeverity info
  
  $InputFileFacility local6
  
  $InputRunFileMonitor
  
  *.* @@<KUMA collector IP address>:<KUMA collector port>
  
  For example:
  
  *.* @@192.1.3.4:5858
- To send events over UDP:
  $ModLoad imfile
  
  $InputFileName /var/log/audit/audit.log
  
  $InputFileTag tag_audit_log:
  
  $InputFileStateFile audit_log
  
  $InputFileSeverity info
  
  $InputFileFacility local6
  
  $InputRunFileMonitor
  
  template(name="AuditFormat" type="string" string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag% %msg%\n")
  
  *.* @<KUMA collector IP address>:<KUMA collector port>
  
  For example:
  
  *.* @192.1.3.4:5858;AuditFormat
Save the changes to the audit.conf file.
Restart the rsyslog service by executing the following command:
systemctl restart rsyslog.service

The event source server is configured. Data about events is transmitted from the server to the KUMA collector.

Page top