Audit Event Poller
The Audit Event Poller component is an example of how to automate audit log checks on a Linux system using ausearch. It transforms the raw output generated by ausearch into structured JSON, making the data easier to process and integrate with other tools.
This is useful for monitoring, auditing, and security tracking because it creates a clear audit trail that includes timestamps, the exact commands executed, and the user responsible for each action.
Running the Component
The Audit Event Poller component requires auditing to be set up and verified outside of Iguana. Refer to Set Up Linux System Auditing with auditd for a simple guide and tips on setting up auditing.
STEP 1: Import the Audit Event Poller component
Using +COMPONENT, import the Audit Event Poller component.
STEP 2: Set up the component configurations
Component Configurations:
Field | Description | Default Value |
|---|---|---|
Delay (s) | Polling time in seconds. |
|
Commands File | A file containing a list of ausearch commands to execute, with one command per line. | |
Print Debug Logs | Enable or disable debug logs. |
|
STEP 3: Start the component and view the generated logs
After starting the component, check the generated logs to verify that the output of the ausearch commands run in Audit Event Poller on IguanaX matches the output when running the same commands in the terminal.