This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

[Bindplane Linux Agent] Auditd log collection does not send hostname

Posted on 11-26-2024 06:07 AM
ottimo
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi all,

I find BindPlane Agent and BindPlane OP a great solution to manage log collection process.

I have an issue with the auditd log: the agent sent the data without any information about the host that generated the log. So, inside the Google SecOps SIEM, I cannot understand which server sent that log.

I use the file receiver to read the /var/log/audit/audit.log file and the chronicle exporter to send it to the SIEM.

Had anyone the same issue?

Thank you all.

Best, 

Matteo

Solved Solved
0 2 444
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
cbryant
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

You will want to edit your Auditd config file to include the hostname. You should be able to do that by adding the following line to /etc/audit/auditd.conf then restart the auditd service:

 

name_format = hostname

 

ref: https://man7.org/linux/man-pages/man5/auditd.conf.5.html#:~:text=a%20space%20check.-,name_format,-Th...

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
cbryant
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

You will want to edit your Auditd config file to include the hostname. You should be able to do that by adding the following line to /etc/audit/auditd.conf then restart the auditd service:

 

name_format = hostname

 

ref: https://man7.org/linux/man-pages/man5/auditd.conf.5.html#:~:text=a%20space%20check.-,name_format,-Th...

Jump to Solution

Posted on --/--/---- --:-- AM
matthewnichols
Community Manager
Community Manager
Reply posted on --/--/---- --:-- AM

Hi @ottimo we just embedded our Bindplane and Data Pipeline Management webinar. Check it out here. Hopefully it helps with some of your other uses cases as you leverage these features. 

Jump to Solution
0 Likes
Top Solution Authors
View all