We have few RHEL v8 servers that are planned to be integrated with our QRadar SIEM. We want to enable auditd configuration to maximise the logging from the RHEL servers and dont want to restrict only to authentication related events. I have followed the below link as reference to enable audit logs to be forwarded.
"https://www.ibm.com/docs/en/dsm?topic=os-configuring-linux-send-audit-logs#t_dsm_guide_linux_os_auditlogs"
While doing the same config, we were getting errors while restarting the audit service. We need some help to configure the logging properly.
Error: Aug 20 10:18:24 evl6800752.ntt-se.infra systemd[1]: Starting Security Auditing Service...
Aug 20 10:18:24 evl6800752.ntt-se.infra auditd[199977]: The disp_qos option is deprecated - line 8
Aug 20 10:18:24 evl6800752.ntt-se.infra auditd[199977]: The dispatcher option is deprecated - line 9
Aug 20 10:18:24 evl6800752.ntt-se.infra auditd[199978]: Unknown builtin builtin_syslog
Aug 20 10:18:24 evl6800752.ntt-se.infra auditd[199978]: audit dispatcher initialized with q_depth=400 and 1 active plugins
Aug 20 10:18:24 evl6800752.ntt-se.infra auditd[199978]: Init complete, auditd 3.0 listening for events (startup state enable)
Aug 20 10:18:24 evl6800752.ntt-se.infra systemd[1]: Started Security Auditing Service.
We tried reviewing the /etc/audit/auditd.conf file and found that dispatcher = /sbin/audispd but audispd is combined with auditd in RHEL 8. Also dont see anything regarding rules that should be configured in /etc/audit/rules.d/audit.rules for audit to be enabled.
Can anyone help me in case you have worked on enabling auditd logs for RHEL v8?
Thanks
#QRadar#Support#SupportMigration