I would like to create a trigger in Zabbix to alert me anytime a type=AVC error appears in a CentOS 6 server's /var/log/audit/audit.log file.
I've already tried creating a basic log scrape. E.g.:
log[/var/log/audit/audit.log,type=AVC,"UTF-8",100]
However, it does not work. I believe this is due to the /var/log/audit/audit.log and it's parent folder using the following permissions:
drwxr-x---. 2 root root 4096 Apr 20 04:29 .
drwxr-xr-x. 13 root root 4096 Apr 14 12:07 ..
-rw-------. 1 root root 5948185 Apr 20 15:27 audit.log
-r--------. 1 root root 6291566 Apr 20 04:29 audit.log.1
-r--------. 1 root root 6291704 Apr 19 16:56 audit.log.2
-r--------. 1 root root 6291499 Apr 19 05:22 audit.log.3
-r--------. 1 root root 6291552 Apr 18 17:48 audit.log.4
I would prefer not to change the permissions for security reasons.
Has anyone done log monitoring of /var/log/audit/audit.log using Zabbix? And if so, how?
It doesn't work, because you need to run zabbix agent as root, you must allow zabbix agent to access that file. After you can monitor file as usual.
Here is your template for SELinux: https://github.com/GioMac/zabbix/blob/master/templates/Template_SELinux.xml
You can also create a new logfile, on each host, that gets copies of the relevant messages you want to trigger. Then you just create a job to copy actionable messages, from other logs to the new single log.
I try to stay away from mail, as that adds other issues and can prevent your security alert from getting out.
You can use zabbix for log file monitoring to watch the
/var/log/audit/audit.logfor the expected regexp (AVCpossibly) and set a trigger accordingly.