Audit records are collected in audit logs. The audit service provides three output modes for audit records.
Logs that are called audit files store audit records in binary format. The set of audit files from a system or site provides a complete audit record. The complete audit record is called the audit trail. These logs are created by the audit_binfile plugin, and can be reviewed by the praudit and auditreduce post-selection commands.
The audit_remote plugin streams audit records to a remote repository. The repository is responsible for maintaining an audit trail and supplying post-selection tools.
The syslog utility collects and stores text summaries of the audit record. A syslog record is not complete. The following example shows a syslog entry for a login audit record:
Oct 10 10:10:20 example_system auditd: [ID 6472 audit.notice] \ login - login ok session 4076172534 by root as root:other
A site can configure auditing to collect audit records in all formats. You can configure the systems at your site to use binary mode locally, to send binary files to a remote repository, and to use syslog mode. The following table compares binary audit records with syslog audit records.
For more information about plugins and audit logs, refer to the following:
audit_binfile (5) man page
audit_syslog (5) man page
audit.log (4) man page
Binary records provide the greatest security and coverage. Binary output meets the requirements of security certifications, such as the Common Criteria audit requirements.
The audit_binfile plugin writes the records to a file system that you protect from snooping. On a single system, all binary records are collected and displayed in order. The UTC time stamp on binary logs enables accurate comparison when systems on one audit trail are distributed across time zones. The praudit -x command enables you to view the records in a browser in XML. You can also use scripts to parse the XML output.
The audit_remote plugin writes the records to a remote repository. The repository handles storage and post-selection.
In contrast, the syslog records might provide greater convenience and flexibility. For example, you can collect the syslog data from a variety of sources. Also, when you monitor audit.notice events in the syslog.conf file, the syslog utility logs an audit record summary with the current time stamp. You can use the same management and analysis tools that you have developed for syslog messages from a variety of sources, including workstations, servers, firewalls, and routers. The records can be viewed in real time, and can be stored on a remote system.
By using syslog.conf to store audit records remotely, you protect log data from alteration or deletion by an attacker. However, consider the following drawbacks to the syslog mode.
The records are susceptible to network attacks such as denial of service and spoofed source addresses.
The UDP protocol can drop packets or can deliver packets out of order.
The 1024 character limit for syslog entries can cause some audit records to be truncated in the log.
On a single system, not all audit records are collected, and might not be displayed in order.
Each audit record is stamped with the local system's date and time. Thus, you cannot rely on the time stamp to construct an audit trail for several systems.