Sample Header Ad - 728x90

Audit Logging Discrepancy: Journald vs Rsyslog

0 votes
0 answers
596 views
rsyslog systemd-journald audit apparmor
After installing Debian 12 and rsyslog 8.2302 (for TLS remote syslog), I noticed that apparmor logs (or any audit logs) were not being sent remotely. After reviewing the local system, journald DOES contain all the audit and apparmor logs, but rsyslog is not getting any of them. Rsyslog can see all the other normal logs. I have ForwardToSyslog=yes uncommented in /etc/systemd/journald.conf, but it does not seem to make a difference. /etc/rsyslog.conf 
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

# TLS Certificate files
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/logserver.crt          # Server Certificate or CA
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/selfsigned.crt       # Client Certificate
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/selfsigned.key        # Client Key

# TLS Sending Configuration
$DefaultNetstreamDriver gtls                    # use gtls netstream driver
$ActionSendStreamDriverMode 1                   # require TLS for the connection
$ActionSendStreamDriverAuthMode x509/name       # server is NOT authenticated

#
# TLS Remote Logging Rule
#
*.* @@192.168.3.2:6514
On Debian 11, apparmor logs were being forwarded by rsyslog no problem. I also tried changing the remote line in rsyslog.conf to *.* /var/log/syslog and after restarting, no audit or apparmor logs appeared in the file (all the other system logs did though...) I realize the removal of rsyslog from default installation with this new release, so how can one reenable rsyslog to see and ship off audit (apparmor) logs?
Asked by user432564
Jul 23, 2023, 12:40 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "rsyslog"
More questions tagged "systemd-journald"
More questions tagged "audit"
Footer Ad - 728x90