How to Configure auditd for Security Event Logging on RHEL 8

December 23, 2025
Linux
Comment off

The Linux Audit daemon (auditd) ships enabled by default on RHEL 8 and provides a kernel-level event logging subsystem capable of recording file access, system calls, user logins, and privilege escalation. Unlike application-level logging, audit records are written directly by the kernel and are tamper-evident, making them suitable for compliance frameworks such as PCI-DSS, HIPAA, and CIS benchmarks. This tutorial covers tuning auditd.conf, writing targeted audit rules for sensitive files and commands, searching and reporting on audit events, and forwarding records to syslog for centralized collection.

Prerequisites

RHEL 8 server with auditd installed (included in base install)
Root or sudo access
Basic familiarity with systemctl and text file editing
Optional: a remote syslog server for centralized log collection

Step 1 — Verify auditd Status and Tune auditd.conf

Confirm auditd is running, then edit /etc/audit/auditd.conf to configure log file location, maximum log size, and rotation behavior. The default values are conservative; the settings below are appropriate for a moderately busy production server.

# Confirm auditd is running
sudo systemctl status auditd

# Edit the main configuration file
sudo cp /etc/audit/auditd.conf /etc/audit/auditd.conf.bak
sudo tee /etc/audit/auditd.conf > /dev/null <<'EOF'
log_file = /var/log/audit/audit.log
log_group = root
log_format = RAW
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 50
num_logs = 10
max_log_file_action = ROTATE
space_left = 250
space_left_action = SYSLOG
admin_space_left = 50
admin_space_left_action = HALT
disk_full_action = SUSPEND
disk_error_action = SUSPEND
EOF

sudo systemctl restart auditd
sudo systemctl status auditd

Step 2 — Write Audit Rules for Sensitive Files

Audit rules live in /etc/audit/rules.d/ and are compiled into a single rule set on startup. Create a dedicated rules file that watches key authentication files and records all modifications with an identifying key.

sudo tee /etc/audit/rules.d/security.rules > /dev/null <=1000 -F auid!=4294967295 -k user_commands

# Make audit configuration immutable (requires reboot to change rules)
# -e 2
EOF

# Load the new rules without rebooting
sudo augenrules --load
sudo auditctl -l

Step 3 — Search Audit Logs with ausearch

ausearch queries the binary audit log using filters such as key name, user, time range, and event type. Results can be piped to aureport for summary output.

# Search by key name — all sudoers file changes
sudo ausearch -k sudoers_changes --interpret

# Search for changes to /etc/shadow in the last hour
sudo ausearch -f /etc/shadow -ts recent --interpret

# Search by UID — all events from a specific user
sudo ausearch -ui 1001 -ts today --interpret

# Search for failed login attempts
sudo ausearch -m USER_LOGIN -sv no --interpret

# Search for execve calls (command executions)
sudo ausearch -k user_commands -ts today --interpret | head -60

Step 4 — Generate Audit Reports with aureport

aureport produces summary statistics from the audit log. It is useful for daily security reviews and identifying anomalous activity patterns without reading raw log entries.

# Summary of all event types
sudo aureport --summary

# Executable summary (most-run binaries)
sudo aureport -x --summary

# Authentication report
sudo aureport -au --summary

# Failed events report
sudo aureport --failed --summary

# Login report for the past 7 days
sudo aureport -l -ts week-ago --summary

# Anomaly report (unusual events)
sudo aureport --anomaly

Step 5 — Forward Audit Events to Syslog via audisp-syslog

The audisp-syslog plugin ships with the audispd-plugins package on RHEL 8. When enabled, it forwards all audit events to rsyslog or journald, enabling centralized collection with tools like Elasticsearch or a SIEM.

# Install the audisp plugins package
sudo dnf install -y audispd-plugins

# Enable the syslog plugin
sudo sed -i 's/^active = no/active = yes/' /etc/audit/plugins.d/syslog.conf

# Optionally set the syslog facility and priority
sudo tee /etc/audit/plugins.d/syslog.conf > /dev/null <<'EOF'
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string
EOF

# Restart auditd to apply plugin changes
sudo systemctl restart auditd

# Verify audit events appear in journald
sudo journalctl -t audispd -n 20 --no-pager

Step 6 — Configure Log Rotation

Although auditd.conf manages its own rotation, you should also define a logrotate entry to ensure compliance with your organisation’s retention policy and prevent uncontrolled disk growth.

sudo tee /etc/logrotate.d/audit > /dev/null </dev/null || true
    endscript
}
EOF

# Verify the new logrotate config
sudo logrotate --debug /etc/logrotate.d/audit

# Check current audit log disk usage
sudo du -sh /var/log/audit/

Conclusion

You now have a hardened auditd configuration on RHEL 8 that watches critical authentication files, records privilege escalation events, captures user command executions, and forwards all events to syslog for centralized collection. The rule set uses named keys so ausearch and aureport can quickly surface relevant events during incident investigations or compliance audits. Remember to periodically review aureport --summary output and adjust rules as your system’s normal activity baseline evolves.

Next steps: How to Configure SELinux Policies on RHEL 8, How to Forward Logs to Elasticsearch with Filebeat on RHEL 8, and How to Set Up Checksum Monitoring with AIDE on RHEL 8.