Skip to content

Linux Logging and Auditing (auditd)

cpx May 25, 2026 17 min read GNU/Linux

1. Introduction

This guide covers essential logging and auditing setup for Linux systems. It’s intentionally practical and direct.

2. Summary

Basic logging setup:

# Enable essential logging
systemctl enable rsyslog
systemctl start rsyslog

# Setup audit daemon
apt install auditd    # Debian/Ubuntu
yum install audit     # RHEL/CentOS
systemctl enable auditd
systemctl start auditd

# Basic audit rules
auditctl -w /etc/passwd -p wa -k user-modify
auditctl -w /etc/shadow -p wa -k user-modify
auditctl -w /var/log/audit/ -p wa -k audit-logs

Basic monitoring:

# View logs
tail -f /var/log/syslog    # Debian/Ubuntu
tail -f /var/log/messages  # RHEL/CentOS

# View audit logs
ausearch -k user-modify
aureport --summary

3. Detailed Setup

Kernel Requirements

  • CONFIG_AUDIT
  • CONFIG_AUDITSYSCALL
  • CONFIG_AUDIT_WATCH
  • CONFIG_AUDIT_TREE

Essential Log Files

/var/log/auth.log      # Authentication
/var/log/syslog        # System logs
/var/log/audit/        # Audit logs
/var/log/kern.log      # Kernel logs
/var/log/secure        # Security logs

Basic Audit Rules

# File monitoring
auditctl -w /etc/passwd -p wa -k user-modify
auditctl -w /etc/group -p wa -k group-modify
auditctl -w /etc/sudoers -p wa -k sudoers-modify

# Command monitoring
auditctl -a exit,always -F arch=b64 -S execve -k commands
auditctl -a exit,always -F arch=b32 -S execve -k commands

# Network changes
auditctl -w /etc/hosts -p wa -k network-modify
auditctl -w /etc/resolv.conf -p wa -k network-modify
## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192


-w /bin/su -p x -k T1169_Sudo
-w /usr/bin/sudo -p x -k T1169_Sudo
-w /usr/bin/visudo -p x -k T1169_Sudo

-w /usr/bin/mv -p x -k T1005_Data_from_Local_System

-a always,exit -F arch=b64 -S ptrace -k T1055_Process_Injection_PTRACE
-a always,exit -F arch=b32 -S ptrace -k T1055_Process_Injection_PTRACE

-w /usr/bin/qemu-system-x86_64 -p x -k qemu-system-x86_64
-w /usr/bin/qemu-img -p x -k qemu-img
-w /usr/bin/qemu-kvm -p x -k qemu-kvm
-w /usr/bin/virt-manager -p x -k virt-manager
-w /usr/bin/VBoxManage -p x -k VBoxManage
-w /usr/bin/certutil -p x -k Deobfuscate_T1140
-w /usr/sbin/chkconfig -p x -k chkconfig_T1562
-w /usr/bin/update-ca-trust -p x -k update-ca-trust
-w /usr/sbin/update-ca-certificates -p x -k update-ca-certificates
-w /usr/bin/chown -p x -k chown
-w /usr/bin/svcadm -p x -k svcadm
-w /usr/bin/virtualbox -p x -k virtualbox
-w /usr/bin/qemu -p x -k qemu
-w /usr/bin/splunk -p x -k splunk
-w /usr/sbin/splunk -p x -k splunk
-w /usr/bin/unzip -p x -k Deobfuscate_T1140
-w /usr/bin/base64 -p x -k Deobfuscate_T1140
-w /usr/bin/openssl -p x -k Deobfuscate_T1140
-w /usr/bin/systemctl -p x -k Indicator_Blocking
-w /usr/bin/pkill -p x -k pkill
-w /usr/sbin/iptables -p x -k iptables
-w /usr/sbin/xtables-multi -p x -k iptables_xtables
-w /usr/bin/gcc -p x -k gcc
-a always,exit -F dir=/var/log -F arch=b64 -S unlink -S unlinkat -S rmdir -F auid>=1000 -F auid!=4294967295 -F exit=0  -k T1070_002
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rmdir -F auid>=1000 -F auid!=4294967295 -F exit=0  -k T1070_002
-a always,exit -F dir=/sbin -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -F exit=0  -k T1070_002
-a always,exit -F dir=/usr/sbin -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -F exit=0  -k T1070_002
-a always,exit -F dir=/bin -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -F exit=0  -k T1070_002
-a always,exit -F dir=/usr/bin -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -F exit=0  -k T1070_002

-a always,exit -F dir=/var/log -F arch=b32 -S unlink -S unlinkat -S rmdir -F auid>=1000 -F auid!=4294967295 -F exit=0  -k T1070_002
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rmdir -F auid>=1000 -F auid!=4294967295 -F exit=0  -k T1070_002
-a always,exit -F dir=/sbin -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -F exit=0  -k T1070_002
-a always,exit -F dir=/usr/sbin -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -F exit=0  -k T1070_002
-a always,exit -F dir=/bin -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -F exit=0  -k T1070_002
-a always,exit -F dir=/usr/bin -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -F exit=0  -k T1070_002

-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -F exit=0  -k T1099_Timestomp
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -F exit=0  -k T1099_Timestomp
-a always,exit -F arch=b32 -S clock_settime -F auid>=1000 -F auid!=4294967295 -F exit=0  -k T1099_Timestomp
-a always,exit -F arch=b64 -S clock_settime -F auid>=1000 -F auid!=4294967295 -F exit=0  -k T1099_Timestomp
-w /etc/localtime -p wa -k T1099_Timestomp
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k T1070_Indicator_Removal_on_Host
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k T1070_Indicator_Removal_on_Host
-w /etc/ld.so.preload -k T1574_Hijack_Execution_Flow


-w /usr/bin/yum -p x -k T1547_Boot_or_Logon_Autostart_Execution
-w /usr/bin/apt-get -p x -k T1547_Boot_or_Logon_Autostart_Execution
-w /usr/bin/apt -p x -k T1547_Boot_or_Logon_Autostart_Execution

-w /usr/bin/chmod -p x -k T1548_Abuse_Elevation_Control_Mechanism

-a always,exit -F arch=b32 -F path=/etc/sudoers -S open -S openat -F auid>=1000 -F auid!=4294967295 -k ACCOUNT_DISC
-a always,exit -F arch=b64 -F path=/etc/sudoers -S open -S openat -F auid>=1000 -F auid!=4294967295 -k ACCOUNT_DISC

-w /etc/sudoers.d -p wa -k T1169_Sudo


-a always,exit -F arch=b64 -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -k T1169_Sudo
-a always,exit -F arch=b32 -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -k T1169_Sudo

-w /usr/bin/ps -p x -k T1057_Process_Discovery
-w /usr/bin/top -p x -k T1057_Process_Discovery
-w /usr/sbin/lsof -p x -k T1057_Process_Discovery
-w /usr/bin/lsof -p x -k T1057_Process_Discovery
-w /usr/bin/pgrep -p x -k T1057_Process_Discovery
-w /usr/sbin/pidof -p x -k T1057_Process_Discovery

-w /usr/bin/zip -p x -k T1002_Data_Compressed
-w /usr/bin/gzip -p x -k T1002_Data_Compressed
-w /usr/bin/tar -p x -k T1002_Data_Compressed
-w /usr/sbin/route -p x -k T1016_System_Network_Configuration_Discovery
-w /usr/sbin/ifconfig -p x -k T1016_System_Network_Configuration_Discovery
-w /etc/resolv.conf -p wa -k T1016_System_Network_Configuration_Discovery
-w /etc/hosts.allow -p wa -k T1016_System_Network_Configuration_Discovery
-w /etc/hosts.deny -p wa -k T1016_System_Network_Configuration_Discovery
-w /etc/hosts -p wa -k T1016_System_Network_Configuration_Discovery
-w /etc/pam.d/common-password -p wa -k T1201_Password_Policy_Discovery
-w /etc/pam.d -p wa -k T1556_Modify_Authentication_Process

-w /usr/lib64/security/pam_unix.so -p wa -k T1556_Modify_Authentication_Process


-a always,exit -F arch=b64 -F path=/etc/group  -S open -S openat -F auid>=1000 -F auid!=4294967295  -k T1087_Account_Discovery
-a always,exit -F arch=b64 -F path=/etc/passwd -S open -S openat -F auid>=1000 -F auid!=4294967295 -k T1087_ACCOUNT_DISC
-a always,exit -F arch=b32 -F path=/etc/passwd -S open -S openat -F auid>=1000 -F auid!=4294967295 -k T1087_ACCOUNT_DISC
-w /etc/gshadow -p r -k T1087_Account_Discovery
-a always,exit -F arch=b32 -F path=/etc/shadow -S open -S openat -F auid>=1000 -F auid!=4294967295 -k T1087_ACCOUNT_DISC
-a always,exit -F arch=b64 -F path=/etc/shadow -S open -S openat -F auid>=1000 -F auid!=4294967295 -k T1087_ACCOUNT_DISC

-w /usr/bin/getent -p x -k T1087_Account_Discovery
-w /usr/bin/who -p x -k T1087_Account_Discovery
-w /usr/bin/whoami -p x -k T1087_Account_Discovery
-w /usr/bin/id -p x -k T1087_Account_Discovery
-w /usr/bin/groups -p x -k T1087_Account_Discovery
-w /usr/bin/users -p x -k T1087_Account_Discovery
-w /usr/bin/ldapsearch -p x -k T1087_Account_Discovery


-w /usr/bin/hostname -p x -k T1033_System_Owner_User_Discovery



-w /bin/sysctl -p x -k T1016_System_Network_Configuration_Discovery
-w /bin/ip -p x -k T1016_System_Network_Configuration_Discovery
-w /bin/traceroute -p x -k T1016_System_Network_Configuration_Discovery
-w /bin/tracepath -p x -k T1016_System_Network_Configuration_Discovery
-w /usr/bin/sysctl -p x -k T1016_System_Network_Configuration_Discovery
-w /usr/sbin/sysctl -p x -k T1016_System_Network_Configuration_Discovery
-w /usr/bin/ip -p x -k T1016_System_Network_Configuration_Discovery
-w /usr/bin/traceroute -p x -k T1016_System_Network_Configuration_Discovery
-w /usr/bin/tracepath -p x -k T1016_System_Network_Configuration_Discovery
-w /proc/sys/net/ipv4/ip_forward -p wa -k T1016_System_Network_Configuration_Discovery
-w /etc/sysconfig/network -p wa -k T1016_System_Network_Configuration_Discovery
-w /etc/sysconfig/network-scripts/ifcfg-device -p wa -k T1016_System_Network_Configuration_Discovery


-w /usr/bin/netstat -p x -k T1049_System_Network_Connections_Discovery

-w /usr/sbin/arp -p x -k T1018_Remote_system_Discovery
-w /usr/sbin/nslookup -p x -k T1018_Remote_system_Discovery
-w /usr/sbin/dig -p x -k T1018_Remote_system_Discovery
-w /usr/bin/arp -p x -k T1018_Remote_system_Discovery
-w /usr/bin/nslookup -p x -k T1018_Remote_system_Discovery
-w /usr/bin/dig -p x -k T1018_Remote_system_Discovery
-a always,exit -F arch=b64 -F path=/proc/net/tcp -S open -S openat -F auid>=1000 -F auid!=4294967295 -k T1018_Remote_system_Discovery
-a always,exit -F arch=b64 -F path=/proc/net/arp -S open -S openat -F auid>=1000 -F auid!=4294967295 -k T1018_Remote_system_Discovery

-w /usr/bin/ls -p x -k T1083_File_And_DIrectory_Discovery
-w /usr/bin/dir -p x -k T1083_File_And_DIrectory_Discovery
-w /usr/bin/tree -p x -k T1083_File_And_DIrectory_Discovery
-w /usr/bin/find -p x -k T1083_File_And_DIrectory_Discovery
-w /usr/bin/locate -p x -k T1083_File_And_DIrectory_Discovery
-w /usr/bin/pwd -p x -k T1083_File_And_DIrectory_Discovery


-w /usr/bin/showmount -p x -k T1135_Network_Share_Discovery
-w /usr/bin/exportfs -p x -k T1135_Network_Share_Discovery
-w /usr/bin/nmblookup -p x -k T1135_Network_Share_Discovery
-w /usr/sbin/showmount -p x -k T1135_Network_Share_Discovery
-w /usr/sbin/exportfs -p x -k T1135_Network_Share_Discovery
-w /usr/sbin/nmblookup -p x -k T1135_Network_Share_Discovery
-w /etc/exports -p wa -k T1135_Network_Share_Discovery
-w /etc/fstab -p wa -k T1135_Network_Share_Discovery


-w /usr/bin/dmidecode -p x -k T1497_Sandbox_Evasion_System_Checks
-w /usr/bin/facter -p x -k T1497_Sandbox_Evasion_System_Checks
-w /usr/bin/lshw -p x -k T1497_Sandbox_Evasion_System_Checks
-w /usr/bin/dmesg -p x -k T1497_Sandbox_Evasion_System_Checks
-w /usr/bin/hostnamectl -p x -k T1497_Sandbox_Evasion_System_Checks
-w /usr/bin/systemd-detect-virt -p x -k T1497_Sandbox_Evasion_System_Checks
-w /usr/bin/imvirt -p x -k T1497_Sandbox_Evasion_System_Checks
-w /usr/sbin/facter -p x -k T1497_Sandbox_Evasion_System_Checks
-w /usr/sbin/dmesg -p x -k T1497_Sandbox_Evasion_System_Checks
-w /usr/sbin/hostnamectl -p x -k T1497_Sandbox_Evasion_System_Checks
-w /usr/sbin/systemd-detect-virt -p x -k T1497_Sandbox_Evasion_System_Checks
-w /usr/sbin/imvirt -p x -k T1497_Sandbox_Evasion_System_Checks


-w /usr/bin/uname -p x -k T1082_System_Information_Discovery
-w /usr/bin/lscpu -p x -k T1082_System_Information_Discovery
-w /usr/bin/lsblk -p x -k T1082_System_Information_Discovery
-w /usr/bin/fdisk -p x -k T1082_System_Information_Discovery
-w /usr/bin/lsb_release -p x -k T1082_System_Information_Discovery
-w /usr/sbin/uname -p x -k T1082_System_Information_Discovery
-w /usr/sbin/lscpu -p x -k T1082_System_Information_Discovery
-w /usr/sbin/lsblk -p x -k T1082_System_Information_Discovery
-w /usr/sbin/fdisk -p x -k T1082_System_Information_Discovery
-w /usr/sbin/lsb_release -p x -k T1082_System_Information_Discovery
-w /etc/os-release -p r -k T1082_System_Information_Discovery
-a always,exit -F arch=b32 -F path=/etc/hostname -S open -S openat -F auid>=1000 -F auid!=4294967295 -k ACCOUNT_DISC
-a always,exit -F arch=b64 -F path=/etc/hostname -S open -S openat -F auid>=1000 -F auid!=4294967295 -k ACCOUNT_DISC



-w /usr/bin/ufw -p x -k T1518_Security_Software_Discovery
-w /usr/bin/pfctl -p x -k T1518_Security_Software_Discovery
-w /usr/bin/pf -p x -k T1518_Security_Software_Discovery
-w /usr/bin/getenforce -p x -k T1518_Security_Software_Discovery
-w /usr/sbin/ufw -p x -k T1518_Security_Software_Discovery
-w /usr/sbin/pfctl -p x -k T1518_Security_Software_Discovery
-w /usr/sbin/pf -p x -k T1518_Security_Software_Discovery
-w /usr/sbin/getenforce -p x -k T1518_Security_Software_Discovery


-w /usr/bin/bettercap -p x -k T1040_Network_Sniffing
-w /usr/bin/dsniff -p x -k T1040_Network_Sniffing
-w /usr/bin/eigrp-tools -p x -k T1040_Network_Sniffing
-w /usr/bin/ettercap -p x -k T1040_Network_Sniffing
-w /usr/bin/httpsniff -p x -k T1040_Network_Sniffing
-w /usr/bin/netsniff-ng -p x -k T1040_Network_Sniffing
-w /usr/bin/sslsniff -p x -k T1040_Network_Sniffing
-w /usr/bin/ssldump -p x -k T1040_Network_Sniffing
-w /usr/bin/tcpick -p x -k T1040_Network_Sniffing
-w /usr/bin/wireshark-cli -p x -k T1040_Network_Sniffing
-w /usr/bin/wireshark-qt -p x -k T1040_Network_Sniffing
-w /usr/bin/wifi-monitor -p x -k T1040_Network_Sniffing
-w /usr/bin/tcpdump -p x -k T1040_Network_Sniffing

-w /usr/sbin/bettercap -p x -k T1040_Network_Sniffing
-w /usr/sbin/dsniff -p x -k T1040_Network_Sniffing
-w /usr/sbin/eigrp-tools -p x -k T1040_Network_Sniffing
-w /usr/sbin/ettercap -p x -k T1040_Network_Sniffing
-w /usr/sbin/httpsniff -p x -k T1040_Network_Sniffing
-w /usr/sbin/netsniff-ng -p x -k T1040_Network_Sniffing
-w /usr/sbin/sslsniff -p x -k T1040_Network_Sniffing
-w /usr/sbin/ssldump -p x -k T1040_Network_Sniffing
-w /usr/sbin/tcpick -p x -k T1040_Network_Sniffing
-w /usr/sbin/wireshark-cli -p x -k T1040_Network_Sniffing
-w /usr/sbin/wireshark-qt -p x -k T1040_Network_Sniffing
-w /usr/sbin/wifi-monitor -p x -k T1040_Network_Sniffing
-w /usr/sbin/tcpdump -p x -k T1040_Network_Sniffing


-w /usr/bin/ftp -p x -k T1105_remote_file_copy
-w /usr/bin/sftp -p x -k T1105_remote_file_copy
-w /usr/bin/scp -p x -k T1105_remote_file_copy
-w /usr/bin/rsync -p x -k T1105_remote_file_copy

-w /usr/bin/cp -p x -k T1005_Data_from_Local_System
-w /usr/bin/dd -p x -k T1005_Data_from_Local_System


-w /bin/nc -p x -k T1219_Remote_Access_Tools
-w /bin/netcat -p x -k T1219_Remote_Access_Tools
-w /usr/bin/ncat -p x -k T1219_Remote_Access_Tools
-w /usr/bin/ssh -p x -k T1219_Remote_Access_Tools
-w /usr/bin/socat -p x -k T1219_Remote_Access_Tools
-w /usr/bin/rdesktop -p x -k T1219_Remote_Access_Tools
-w /usr/bin/teamviewer -p x -k T1219_Remote_Access_Tools
-w /usr/bin/LogMein -p x -k T1219_Remote_Access_Tools

-w /usr/bin/sendmail -p x -k T1505_Server_Software_Component
-w /usr/bin/postfix -p x -k T1505_Server_Software_Component

-w /usr/sbin/sshd -p x -k T1133_External_Remote_Services
-w /usr/sbin/vsftpd -p x -k T1133_External_Remote_Services
-w /usr/sbin/ftpd -p x -k T1133_External_Remote_Services

-w /usr/sbin/usermod -p x -k T1078_Valid_Accounts
-w /usr/bin/passwd -p x -k T1078_Valid_Accounts

-w /usr/bin/crontab -p x -k T1053_Scheduled_Task
-w /etc/cron.d -p wa -k T1053_Scheduled_Task
-w /etc/cron.daily -p wa -k T1053_Scheduled_Task
-w /etc/cron.deny -p wa -k T1053_Scheduled_Task
-w /etc/cron.hourly -p wa -k T1053_Scheduled_Task
-w /etc/cron.monthly -p wa -k T1053_Scheduled_Task
-w /etc/crontab -p wa -k T1053_Scheduled_Task
-w /etc/cron.weekly -p wa -k T1053_Scheduled_Task
-w /etc/at.deny -p wa -k T1053_Scheduled_Task
-w /etc/at.allow -p wa -k T1053_Scheduled_Task
-w /usr/bin/at -p x -k T1053_Scheduled_Task

-w /boot/grub2/grub.cfg -p wa -k T1542_PreS_Boot


-w /usr/bin/trap -p x -k T1546_Event_Triggered_Execution
-w /etc/rc.local -p wa -k T1546_Event_Triggered_Execution
-w /root/.bash_profile -p wa -k T1546_Event_Triggered_Execution
-w /root/.bashrc -p wa -k T1546_Event_Triggered_Execution
-w /home/ -p x -k T1546_Event_Triggered_Execution

-w /etc/systemd/system -p wa -k T1543_Create_or_Modify_System_Process
-w /usr/lib/systemd/system/ -p wa -k T1543_Create_or_Modify_System_Process

-w /usr/bin/realm -p x -k T1136_Create_Account_Domain_Account
-w /usr/sbin/realm -p x -k T1136_Create_Account_Domain_Account
-w /usr/sbin/useradd -p x -k T1136_Create_Account_Domain_Account
-w /usr/sbin/adduser -p x -k T1136_Create_Account_Domain_Account

-w /usr/bin/grep -p x -k T1552_Unsecured_Credentials
-w /usr/bin/cat -p x -k T1552_Unsecured_Credentials
-w /usr/bin/vi -p x -k T1552_Unsecured_Credentials
-w /usr/bin/vim -p x -k T1552_Unsecured_Credentials

-w /usr/bin/unshadow -p x -k T1003_Credential_Dumping


-w /usr/sbin/modprobe -p x -k T1547_Boot_or_Logon_Autostart_Execution
-w /usr/sbin/insmod -p x -k T1547_Boot_or_Logon_Autostart_Execution
-w /usr/sbin/lsmod -p x -k T1547_Boot_or_Logon_Autostart_Execution
-w /usr/sbin/rmmod -p x -k T1547_Boot_or_Logon_Autostart_Execution
-w /usr/sbin/modinfo -p x -k T1547_Boot_or_Logon_Autostart_Execution

-w /etc/ssh/sshd_config -p wa -k T1098_Account_Manipulation_SSH_Authorized_Keys


-a always,exit -F arch=b64 -S getdents -S getdents -F auid>=1000 -F auid!=4294967295 -F exit=0 -k DIR_LIST
-a always,exit -F arch=b32 -S getdents -S getdents -F auid>=1000 -F auid!=4294967295 -F exit=0 -k DIR_LIST

Log Rotation

# /etc/logrotate.d/syslog
/var/log/syslog {
    rotate 7
    daily
    missingok
    notifempty
    compress
    postrotate
        systemctl reload rsyslog
    endscript
}

4. Post-install Instructions

  1. Verify logging works:
logger "Test log entry"
tail /var/log/syslog
  1. Test audit system:
auditctl -l                 # List rules
ausearch -k user-modify     # Search for events
aureport --summary         # Generate report
  1. Configure log retention:
# /etc/audit/auditd.conf
max_log_file = 8
max_log_file_action = rotate
num_logs = 5
  1. Setup log monitoring:
# Install tools
apt install logwatch fail2ban
yum install logwatch fail2ban

# Configure daily reports
/etc/logwatch/conf/logwatch.conf

5. FAQs

Q: How do I find failed login attempts?

grep "Failed password" /var/log/auth.log
ausearch --message USER_LOGIN --success no

Q: How do I track file changes?

auditctl -w /path/to/file -p wa -k file-changes
ausearch -k file-changes

Q: Where are sudo commands logged?

grep sudo /var/log/auth.log
ausearch --message USER_CMD --success yes

Q: How do I monitor specific users?

auditctl -w /home/username -p wa -k user-activity
auditctl -a exit,always -F arch=b64 -S execve -F auid=1000 -k user-commands

Q: How do I setup remote logging?

# /etc/rsyslog.conf on client
*.* @remote-server:514

# /etc/rsyslog.conf on server
$ModLoad imudp
$UDPServerRun 514

Q: How do I make audit rules permanent?

# /etc/audit/rules.d/audit.rules
-w /etc/passwd -p wa -k user-modify
-w /etc/shadow -p wa -k user-modify
augenrules --load

Q: How do I analyze large log files?

# Install log analyzers
apt install goaccess
yum install goaccess

# Generate HTML report
goaccess /var/log/apache2/access.log -o report.html

Q: System logging isn’t working?

  1. Check rsyslog status: systemctl status rsyslog
  2. Verify permissions: ls -l /var/log
  3. Check disk space: df -h
  4. Restart service: systemctl restart rsyslog

Q: Audit daemon not starting?

  1. Check kernel support: zgrep CONFIG_AUDIT /proc/config.gz
  2. Verify service: systemctl status auditd
  3. Check rules: auditctl -l
  4. Review logs: journalctl -u auditd

Remember to regularly:

  • Review logs
  • Update audit rules
  • Monitor disk space
  • Backup log files
  • Test logging functionality

 

# recommended

posts that share tags with this one
GNU/Linux

The Linux Storage Stack – Architecture

2026-04-27 1 min read →
GNU/Linux

Linux OS Logging (snoopy)

Additional Recommendations (outside this file)

2026-02-17 3 min read →
Arch

Protected: Linux Flatpak

There is no excerpt because this is a protected post.

2025-10-26 1 min read →
0 0 votes
Article Rating
guest

0 Comments
Oldest
Newest Most Voted
0
Would love your thoughts, please comment.x
()
x