<aside> <img src="/icons/info-alternate_blue.svg" alt="/icons/info-alternate_blue.svg" width="40px" />

Для работы TLS: раскоментируйте в файле /etc/rsyslog.d/00-modules.conf секцию “For tls”

</aside>

vi /etc/rsyslog.d/audit.conf

module(load="imfile")
# module(load="gtls") # For TLS
# global(DefaultNetstreamDriver="gtls") # For TLS

input(
	type="imfile"
	File="/var/log/audit/audit.log"
	Tag="auditd"
	Facility="local6"
	Severity="info"
	ReadMode="0"
	addMetadata="on"
)

if ($programname == "auditd") then {
	action(
		name="fwd_audit_tcp"
		type="omfwd"
		target="IP or FQDN" # IP or FQDN of Sysylog server (FQDN only for TLS)
		port="port" # port of Sysylog server
		protocol="tcp" # tcp or udp
		# StreamDriver="gtls" # For TLS
		# StreamDriverMode="1"  # For TLS
		# StreamDriverAuthMode="anon" # For TLS without Verification
		# StreamDriverAuthMode="x509/name" # For TLS with Verification
		# StreamDriverPermittedPeer="FQDN" # For TLS with Verification
		# tls.cacert="/etc/rsyslog/ca.crt" # For TLS with Verification
		queue.type="LinkedList"
		queue.size="10000"
		action.resumeRetryCount="-1"
	)
}