ansible/roles/base/files/rsyslog/rsyslog-audit.conf

# monitor auditd log and send out over local6 to central loghost
$ModLoad imfile.so

# auditd audit.log
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor

:msg, !contains, "type=AVC"
local6.*				@@log01:514
Rework rsyslog stuff. Use default dist /etc/rsyslog.conf, add our stuff to /etc/rsyslog.d 2014-01-25 17:45:38 +00:00			`# monitor auditd log and send out over local6 to central loghost`
			`$ModLoad imfile.so`

			`# auditd audit.log`
			`$InputFileName /var/log/audit/audit.log`
			`$InputFileTag tag_audit_log:`
			`$InputFileStateFile audit_log`
			`$InputFileSeverity info`
			`$InputFileFacility local6`
			`$InputRunFileMonitor`

			`:msg, !contains, "type=AVC"`
Enter log01, bravest of the brave 2014-07-18 20:42:00 +00:00			`local6.* @@log01:514`