Enable Linux Agent Local audit.log Files

The Linux Agent has an optional feature that allows you to use a custom tsauditd.cfg to generate local JSON-formatted audit log files. The logs contain events that are kept local on the host. You can use these logs to pipe event data into a Security Information and Event Management (SIEM) or other log aggregator.

Enable audit.log Files

Beginning with Linux Agent 3.1.x, you can run the following command to generate local JSON-formatted audit log files:

sudo tsagent config -set audit.log /tmp/audit.log

In the example below, the directory is set to /tmp.

The command edits the existing tsauditd.cfg file by adding:

 {
"num_logs": 5,
"log_file": "/tmp/tsaudit.log",
"max_log_file_action": "rotate",
"max_log_file": 50,
"flush": true,
"flush_increment" : 4
}
`),
Type: "auemu",

These log files rotate every 50MB. You can adjust this number by manually editing max_log_file.

Disable audit.log Files

To disable using the Agent configuration, set the audit.log value back to its default value by running the following command:

sudo tsagent config -set audit.log ""

Enable audit.log Files for Agent 3.0 and earlier

For Agents earlier than 3.1.x, you can configure this option manually:

  1. Navigate to /opt/threatstack/etc.
  2. Locate the tsauditd-custom.cfg file. If this file does not exist, then you need to create it.
  3. In the empty tsauditd-custom.cfg file, add the following:
    {
        "threatstack": {
            "auditd": {
                "extra-netinfo": true,
                "max-eoe-flush": 100,
                "noop": 3,
                "nnsleep": 1,
                "filter": "/opt/threatstack/etc/tsauditd.lua",
                "cpumon": {
                    "max_rlim": 50000,
                    "min_rlim": 1000,
                    "inc-by": 300,
                    "dec-by": 50,
                    "ival-sec": 1,
                    "ival-usec": 0,
                    "avg-after": 5,
                    "max-cpu": 40,
                    "enabled": true
                },
                "processors": [
                    {
                        "output": {
                            "config": {},
                            "type": "stdout",
                            "enable-noop": true
                        }
                    },
                    {
                        "output": {
                            "config": {
                                  "num_logs": 5,
                                  "log_file": "/tmp/tsaudit.log",
                                  "max_log_file_action": "rotate",
                                  "max_log_file": 50,
                                  "flush": true,
                                  "flush_increment" : 4
                            },
                            "type": "auemu"
                        }
                    }

                ]
            }
        }
    }
  4. Restart the Agent service by running the following command:
    systemctl restart threatstack

audit.log files display in the directory you chose. Once the logs reach the maximum file size, subsequent logs are named audit.log.x.

Was this article helpful?
0 out of 0 found this helpful