rsyslog.md from HariSekhon/Knowledge-Base repo: https://github.com/HariSekhon/Knowledge-Base

rsyslog.md

RSyslog

• LogServer Forwarding
• Auditd Integration
  • RHEL v6 to v8 Config
  • RHEL v9 Config
• Troubleshooting
  • Unknown builtin builtin_syslog

LogServer Forwarding

Configure RSyslog to forward logs to the logserver.

Edit /etc/rsyslog.conf to add this line:

info.* @@<hostname_or_ip>

service rsyslog restart

Check that the server has network access to the logserver:

telnet x.x.x.x 514

Auditd Integration

Install Auditd:

yum install audit audispd-plugins
service auditd start
chkconfig auditd on

Edit the /etc/audisp/plugins.d/syslog.conf file to set this line to activate the plugin:

active = yes

Restart Auditd for these changes to take effect:

service auditd restart

Check your Linux distro version:

cat /etc/*release

and then compare to the configs below:

RHEL v6 to v8 Config

/etc/audisp/plugins.d/syslog.conf contents should look like this:

active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string

RHEL v9 Config

/etc/audisp/plugins.d/syslog.conf contents should look like this:

active = yes
direction = out
path = /sbin/audisp-syslog
type = always
args = LOG_INFO
format = string

Troubleshooting

Check messages for any issues after restarting Auditd.

Unknown builtin builtin_syslog

If you see this error in the log:

auditd[1962051]: Unknown builtin builtin_syslog

Then install the plugin:

yum install audispd-plugins

On RHEL9 the config is a bit different so restore it for compatibility:

cp /etc/audit/plugins.d/syslog.conf.rpmnew /etc/audit/plugins.d/syslog.conf

Then edit this line again:

active = yes

Then compare to the complete configs for your RHEL version as shown above.

Then restart Auditd for changes to take effect:

service auditd restart