Linux Audit Logs

Supported OS Linux

Integration version1.0.0
Linux Audit Logs - Overview
Linux Audit Logs - Overview
Linux Audit Logs - Overview
Linux Audit Logs - Overview

Overview

Linux Audit Logs record detailed information about system events, user activities, and security-related actions. They are essential for monitoring system integrity, detecting unauthorized access, and ensuring compliance with security policies and regulations.

This integration provides enrichment and visualization for various log types, including:

  • Mandatory Access Control (MAC) configurations and status
  • MAC policies
  • Role assignments, removals, and user role changes
  • Audit configuration changes and audit daemon events (such as aborts, configuration changes)
  • User authentication events
  • User account credential modifications
  • User and group management activities
  • SELinux user errors
  • Access Vector Cache (AVC) logs

It supports these logs across Red Hat, Ubuntu, and CentOS Linux operating systems.

This integration collects Linux audit logs and sends them to Datadog for analysis. It provides visual insights through out-of-the-box dashboards and the Log Explorer, and helps monitor and respond to security threats using ready-to-use Cloud SIEM detection rules.

Setup

Installation

To install the Linux Audit Logs integration, run the following Agent installation command. For more information, see Integration Management.

Note: This step is not necessary for Agent versions >= 7.66.0

For Linux, run:

sudo -u dd-agent -- datadog-agent integration install datadog-linux-audit-logs==1.0.0

Configuration

Install the Audit Daemon (auditd)

  1. Install auditd on Linux:

    • Debian/Ubuntu:

      sudo apt-get update
sudo apt-get install auditd

    • CentOS/RHEL:

      sudo yum install audit

  2. Start the Audit Daemon:

    sudo systemctl start auditd

  3. Enable the Audit Daemon to Start on Boot:

    sudo systemctl enable auditd

  4. Verify the Status of the Audit Daemon:

    sudo systemctl status auditd

Configure the Audit Daemon (auditd)

  1. Give the dd-agent user read permission for rotated audit log files:

    sudo grep -q "^log_group=" /etc/audit/auditd.conf && sudo sed -i 's/^log_group=.*/log_group=dd-agent/' /etc/audit/auditd.conf || echo "log_group=dd-agent" | sudo tee -a /etc/audit/auditd.conf

  2. Restart Audit Daemon:

    sudo systemctl restart auditd

Validation

Run the Agent’s status subcommand and look for linux_audit_logs under the Checks section.

Data Collected

Metrics

The Linux Audit Logs integration does not include any metrics.

Log Collection

  1. Collecting logs is disabled by default in the Datadog Agent. Enable it in the datadog.yaml file:

    logs_enabled: true

  2. Give the dd-agent user read access to the audit.log file:

    sudo chown -R dd-agent:dd-agent /var/log/audit/audit.log

  3. Add this configuration block to your linux_audit_logs.d/conf.yaml file to start collecting Linux audit logs.

    See the sample linux_audit_logs.d/conf.yaml for available configuration options.

    logs:
  - type: file
    path: /var/log/audit/audit.log
    service: linux-audit-logs
    source: linux-audit-logs

    Note: Do not change the service and source values, as they are essential for proper log pipeline processing.

  4. Restart the Agent.

Events

The Linux Audit Logs integration does not include any events.

Troubleshooting

Need help? Contact Datadog support.