Auditd#
Integration Details |
|
Ingester |
|
Kit |
Auditd Configuration#
The standard method to collect Auditd logs is by installing the gravwell-file-follow package which can be installed through your configured package manager or via a standalone shell installer.
Sample File Follower Configuration pointing to Gravwell Environment:
Create or edit: /opt/gravwell/etc/file_follow.conf
Ingest-Secret = IngestSecrets
Insecure-Skip-TLS-Verify = false
Cleartext-Backend-Target=172.20.0.1:4023 #example of adding a cleartext connection
State-Store-Location=/opt/gravwell/etc/file_follow.state
Max-Files-Watched=64
Gravwell Configuration#
Gravwell Storage Well Configuration#
Setup the well configuration in your Gravwell indexers.
Sample well config:
Create or edit: /opt/gravwell/etc/gravwell.conf.d/auditd-well.conf
[Storage-Well "auditd"]
Location=/opt/gravwell/storage/auditd
Tags=auditd*
# Hot-Duration=30d
# Cold-Duration=90D
# Max-Hot-Storage-GB=20
# Delete-Frozen-Data=true
Gravwell File Follower Ingester Configuration#
Setup the file follower configuration file.
Sample File Follower configuration:
Create or edit: /opt/gravwell/etc/file_follow.conf.d/auditd.conf
[Follower "auditd"]
Base-Directory = "/var/log/audit"
File-Filter = "audit.log"
Tag-Name = auditd