AUDISP-SYSLOG(8)	System Administration Utilities	      AUDISP-SYSLOG(8)

NAME
       audisp-syslog - plugin to push audit events into syslog

SYNOPSIS
       audisp-syslog [ OPTIONS ]

DESCRIPTION
       audisp-syslog is a plugin for the audit event dispatcher that wraps
       audit events back around to syslog. It can be passed three options: one
       which is the syslog facility, one that is the syslog level that all
       events are logged with, and one that determines if events should be
       interpreted. Valid facilities are LOG_LOCAL0 through 7, LOG_AUTH,
       LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER. Valid levels are
       LOG_DEBUG through LOG_EMERG. Setting these options is done in the
       /etc/audit/syslog.conf file on the args line.

       If it is desired that events are interpreted, add the word interpret to
       the args line. This will cause all events to be interpreted. The
       drawback to this approach is that naive parsers can be tricked by an
       adversary that has the ability to name files, processes, or other user
       controlled objects.

       If you are aggregating multiple machines, you should edit auditd.conf
       to set the name_format to something meaningful and the log_format to
       enriched. This way you can tell where the event came from and have the
       user name and groups resolved locally before it is sent off of the
       machine.


FILES
       /etc/audit/plugins/syslog.conf /etc/audit/auditd.conf

SEE ALSO
       auditd.conf(8), auditd-plugins(5), syslog(3).

AUTHOR
       Steve Grubb

Red Hat				  August 2018		      AUDISP-SYSLOG(8)