HowTos – send Audit Logs to a Remote Rsyslog Server in RHEL7X

Perform these steps to set up the syslog server:

1. Uncomment the following lines in the ‘MODULES‘ section of /etc/rsyslog.conf:

# vi /etc/rsyslog.conf
$ModLoad imtcp
$InputTCPServerRun 514

If you are using UDP then uncomment following lines:

# vi /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514

2. Configure the rsyslog server to recieve rsyslog events from client. To receive audit logs from client servers, add below lines in the /etc/rsyslog.conf file:

# vi /etc/rsyslog.conf
$template HostAudit, "/var/log/rsyslog/%HOSTNAME%/audit_log"
local6.* ?HostAudit

3. Restart the rsyslog service.

# service rsyslog restart       ### CentOS/RHEL 6
# systemctl restart rsyslog     ### CentOS/RHEL 7

Client Side configuration

1. Take the backup of the existing /etc/rsyslog.conf.

# cp /etc/rsyslog.conf /etc/rsyslog.conf.bkp

2. Append the following rules to the /etc/rsyslog.conf file for directing the logs to central rsyslog server. “imfile” module has to be loaded on the rsyslogd, otherwise the configuration for directing the auditd log won’t work.

# vi /etc/rsyslog.conf
#audit log
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6

*.*                                      @[serverip]      ### Add rsyslog server IP here

Make sure you replace @[serverip] with your rsyslog server IP address.

3. Restart the rsyslog service for the changes to take effect.

# service rsyslog restart       ### CentOS/RHEL 6
# systemctl restart rsyslog     ### CentOS/RHEL 7


Understanding /etc/group file

/etc/group Defines the default system group entries for system groups that support some system-wide tasks, such as printing, network administration, or electronic mail. Many of these groups have corresponding entries in the /etc/passwd file. Because most of the linux systems use a UPG scheme, a new entry is automatically created in /etc/group when a new user is added. The group name is the same as the username.

Interpreting an /etc/group File Entry

This picture below provides an example of a default /etc/group file entry. Each entry in the /etc/group file contains four fields. A colon separates each field. The following is the format for an entry:


Each entry in the /etc/group file contains four fields: The description and requirement for each field are as follows:

Field Purpose
groupname Contains the name assigned to the group.
group-password (x) x in this field indicates that shadow passwords are used.
GID Contains the group’s GID number.
username-list List of users that are members of the group

Each group can have multiple users. Users can also belong to more than one group. The GID stored in the user’s entry in /etc/passwd is the user’s primary group.

Group Account Administration

1. Use the groupadd command to add a group account:

# groupadd [options] group_name

Example: To add a user (tom) to a group (students):

# gpasswd –a tom students

2. Use the groupmod command to modify a group account:

# groupmod [options] group_name

3. Use the gpasswd command to administer group accounts:

# gpasswd [options] group_name

4. Use the groupdel command to delete a group account. The syntax is:

# groupdel group_name

You can remove groups even if there are members in the group. You cannot remove the primary group of any existing user. You must remove the user before removing the group.

5. Use the gpasswd command to administer /etc/group and /etc/gshadow. Every group can have administrators, members, and a password. The syntax is:

# gpasswd [options] group_name

The groups command

The groups command displays the groups that a user belongs to. The following example illustrates that user oracle belongs to two groups, oracle (primary group) and students (secondary group):

# grep oracle /etc/passwd
oracle:x:1000:1000:Oracle DBA:/home/oracle/bin/bash
# grep oracle /etc/group
oracle:x:1000: students:x:1056:student1,student2,oracle

The groups command (logged on as oracle) verifies these group memberships.

$ whoami
$ groups 
oracle students

The newgrp command

The newgrp command executes a new shell and changes a user’s real group identification. The following example illustrates the group ID before and after running the command. It also illustrates that a new shell is executed.

$ id
uid=1000(oracle) gid=1000(oracle)


Note that the gid equals 1000(oracle).

$ ps
20279 pts/0 00:00:00 bash 20411 pts/0 00:00:00 ps
$ newgrp students
$ id
uid=1000(oracle) gid=1066(students)

Note that the gid now equals 1066(students). Also note that a new shell was executed:

$ ps
20279 pts/0 00:00:00 bash
20464 pts/0 00:00:00 bash
20486 pts/0 00:00:00 ps

Ron Jagannathan has written 54 articles

Ronan is a Caffeine dependent life-form from Planet Earth who wants to be a Jedi Knight of cloud computing. A man of mystery and power, whose power is exceeded only by his mystery. Quantum Physicist, TransHumanist, Systems Architect, Unix Administrator, Artificial Intelligence, Machine Learning and DIY Gadget enthusiast. Believes that the Universe has a high probability of being a simulation.
But he's real and hopefully some of his readers are too.
email: ph: 202 355 5205
My Famous Quotes:
“In a Unix Universe, God is known by a four letter word called root. To err is really foul requires you to be root.. err.. god.” ― Ron Jagannathan


“Quotes found on the Internet are not always accurate.” ― Abraham Lincoln

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>