I have 3 RHEL-7 EC2 instances. All can connect among themselves using private IP. One client and server are on same subnet and the other client is from different VPC but can connect with other two instances over VPC Peering. rsyslog is running on the server and clients are sending logs (/var/log/messages and /var/log/secure) to the server instance over port 514. for the sake of simplicity firewalld/iptables are stopped and selinux is permissive/disabled.
I have configured auditd on the clients, the service is active(running) but audit logs are not being transferred to the server. Below is the details of "systemctl status auditd" of client:
[root@ip-10-0-3-159 ~]# systemctl status auditd ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2018-07-11 19:42:48 UTC; 38s ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 386 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS) Process: 375 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) Main PID: 376 (auditd) CGroup: /system.slice/auditd.service ├─376 /sbin/auditd └─378 /sbin/audispd
Jul 11 19:42:48 ip-10-0-3-159.ec2.internal audispd[378]: plugin /sbin/audisp-remote was restarted Jul 11 19:42:48 ip-10-0-3-159.ec2.internal audisp-remote[436]: Error connecting to 10.0.1.238: Network is unreachable Jul 11 19:42:48 ip-10-0-3-159.ec2.internal audispd[378]: plugin /sbin/audisp-remote terminated unexpectedly Jul 11 19:42:48 ip-10-0-3-159.ec2.internal audispd[378]: plugin /sbin/audisp-remote was restarted Jul 11 19:42:48 ip-10-0-3-159.ec2.internal audisp-remote[451]: Error connecting to 10.0.1.238: Network is unreachable Jul 11 19:42:48 ip-10-0-3-159.ec2.internal audispd[378]: plugin /sbin/audisp-remote terminated unexpectedly Jul 11 19:42:48 ip-10-0-3-159.ec2.internal audispd[378]: plugin /sbin/audisp-remote was restarted Jul 11 19:42:48 ip-10-0-3-159.ec2.internal audispd[378]: plugin /sbin/audisp-remote terminated unexpectedly Jul 11 19:42:48 ip-10-0-3-159.ec2.internal audispd[378]: plugin /sbin/audisp-remote has exceeded max_restarts Jul 11 19:42:48 ip-10-0-3-159.ec2.internal audispd[378]: plugin /sbin/audisp-remote was restarted
I have tried both public ip and private ip (as remote_server) in /etc/audisp/audisp-remote.conf, I can telnet to port 60 of the remote server from the clients, there is no issue with security group and most importantly the same configuration worked successfully on VM environment.
Below is "netstat -tulpen" of server: [root@ip-10-0-1-238 ~]# netstat -tulpen Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 0 18570 1077/rsyslogd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 18464 1070/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 17663 1032/master tcp6 0 0 :::60 ::: LISTEN 0 14041 401/auditd* tcp6 0 0 :::514 :::* LISTEN 0 18571 1077/rsyslogd tcp6 0 0 :::80 :::* LISTEN 0 17023 759/httpd tcp6 0 0 :::22 :::* LISTEN 0 18466 1070/sshd tcp6 0 0 ::1:25 :::* LISTEN 0 17664 1032/master udp 0 0 127.0.0.1:323 0.0.0.0:* 0 14741 478/chronyd udp 0 0 0.0.0.0:68 0.0.0.0:* 0 16016 549/dhclient udp6 0 0 ::1:323 :::* 0 14742 478/chronyd
another confusion is all services are running on tcp and tcp6 but auditd is running on tcp6 only. is this something to be concerned about? On VM environment both tcp and tc6 lines are there for auditd.
