The audit daemon, known as auditd, is a Linux kernel feature that logs system calls, such as opening a file, killing a process, or creating a network connection. You can use these logs to monitor systems for suspicious activity. Site24x7 AppLogs has built-in support for auditd logs.
Getting started
1. Log in to your Site24x7 account.
2. Download and install the Site24x7 Server Monitoring Agent (Windows | Linux).
3. Go to Admin > AppLogs > Log Profile and select Add Log Profile.
4. Enter the Profile Name.
5.Select Auditd Logs from the Choose the Log Type dropdown.
- The Sample Logs and Log Pattern are displayed below.
Sample Logs:
[2019-09-04 15:53:15] production.INFO: UPDATE_USER_LOGIN_INFO: User with ID 728 updated to logins=485, last_login=2019-09-04 15:53:15
[2019-09-04 15:53:52] production.INFO: UPDATE_USER_LOGIN_INFO: User with ID 69 updated to logins=156, last_login=2019-09-04 15:53:52
[2019-09-04 17:05:02] production.INFO: HOST_EXIST: FAILED Host in1-smtp does not exist, redirect to public home
These logs are separated into fields, each of which takes its respective value and is then uploaded to Site24x7.
- By default, this is the Log Pattern that AppLogs uses to identify auditd logs:
[$Datetime:date$] $Environment$.$Level$: $Message$
- You can add a custom Log Pattern instead of the default one. To do so, click the pencil icon and specify your pattern.
6. Select the Local File as the Log Source.
7. By default, the paths below are used as the file sources:
Linux: "/var/www/html/storage/logs/laravel*.log", "/var/www/*/storage/logs/laravel*.log", "/var/www/html/*/storage/logs/laravel*.log"
- If your source path is different from the default path, specify it in the List of files to search for logs field.
8. Select either monitors or monitor groups to collect the logs.
9. Click Save.
