The vRealize Business Standard appliance uses the audispd service to forward all audit logs to the syslog-ng service. The configuration file is located in /etc/audisp/plugins.d/syslog.conf. Forwarding can be enabled by editing the syslog server configuration file and setting the following parameter:

Restart the auditd service as root to incorporate the change.

When using the high governance audit rules, there is an increase in the amount of logging traffic that might warrant reconfiguration of both the q_depth and the priority_boost of the audit dispatcher daemon. The configuration file is located in /etc/audisp/audispd.conf. The following configuration file parameters must be set:

q_depth = 80 (recommendation for high governance audit logs is at least 1,280)

priority_boost = 4 (recommendation for high governance audit logs is at least 8)

Restart the auditd service as root to incorporate the change.

When using the high governance audit rules, there is an increase in the size of log files. To decrease the number of stored logs on the hardened appliances (this assumes log forwarding has been configured), customers can tune the number of daily log files stored by modifying the rotation number. All log rotation configurations are stored in /etc/logrotate.d.

To control the number of stored daily log files for syslog, edit the /etc/logrotate.d/syslog file as root. Modify all of the “rotate 15” entries to the number of days to store local logs. The recommended number of days for centralized log services is at least 7.

To control the number of stored daily log files for the audit daemon, edit the /etc/logrotate.d/audit file as root. Modify the “rotate 15” entry to the number of days to store local audit logs. The recommended number of days for centralized audit log services is at least 7.

Configure auditd to forward messages to syslog-ng, which can in turn forward them to a centralized syslog collector such as vRealize Log Insight.