3

I have been studying logging on Linux but I have come to a road-block that's got me stuck for the past few days. My goal is to forward logs from two raspberry pi 3's running OpenSUSE Tumbleweed (aarch64) to my laptop running Ubuntu 17.04. I'm using rsyslog to accomplish this which is using imjournal as the source because I want to store the logs in json format with all the extra metadata provided by the systemd-journal and play with that later.

The problem I am trying to address is a lack of _TRANSPORT=audit on my raspberry pi's. I recompiled systemd with audit support on one of my pi's thinking that would solve the problem, but it hasn't. I have also added audit=1 to the kernel command line on the pi's and rebooted them. My laptop supports the audit transport.

Here's the output of journalctl --version, sudo journalctl --field _TRANSPORT, and cat /proc/cmdline on my various systems.

laptop:

$ journalctl --version
systemd 232
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP 
+LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS 
+KMOD +IDN

$ sudo journalctl --field _TRANSPORT
syslog
stdout
journal
audit
driver
kernel

$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-4.10.0-33-generic.efi.signed 
root=UUID=cf4dc10b-511a-4369-ad5c-637833244929 ro apparmor=1 
security=apparmor

rpi1 (reconfigured systemd with audit support):

$ journalctl --version
systemd 234
+PAM +AUDIT +SELINUX -IMA +APPARMOR -SMACK +SYSVINIT +UTMP 
+LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID -ELFUTILS 
+KMOD -IDN2 -IDN default-hierarchy=hybrid

$ sudo journalctl --field _TRANSPORT
stdout
kernel
journal
syslog
driver

$ cat /proc/cmdline
BOOT_IMAGE=/boot/Image-4.4.83-5-default root=UUID=30bbe534-b90f-4de6-
a0e6-1e2b60088461 root=/dev/disk/by-id/mmc-ACLCD_0xd02f42e5-part2 
disk=/dev/disk/by-id/mmc-ACLCD_0xd02f42e5 resume=/dev/disk/by-id/mmc-
ACLCD_0xd02f42e5-part3 quiet splash=silent plymouth.enable=0 
swiotlb=512,force cma=384M console=ttyS0,115200n8 console=tty quiet 
audit=1

rpi2 (with original systemd configured by the distro):

$ journalctl --version
systemd 234
+PAM -AUDIT +SELINUX -IMA +APPARMOR -SMACK +SYSVINIT +UTMP 
+LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL+XZ +LZ4 +SECCOMP +BLKID -ELFUTILS 
+KMOD -IDN2 -IDN default-hierarchy=hybrid

$ sudo journalctl --field _TRANSPORT
stdout
kernel
journal
syslog
driver

cat /proc/cmdline
BOOT_IMAGE=/boot/Image-4.4.83-5-default root=UUID=30bbe534-b90f-4de6-
a0e6-1e2b60088461 root=/dev/disk/by-id/mmc-ACLCD_0xcaf643ee-part2 
disk=/dev/disk/by-id/mmc-ACLCD_0xcaf643ee resume=/dev/disk/by-id/mmc-
ACLCD_0xcaf643ee-part3 quiet splash=silent plymouth.enable=0 
swiotlb=512,force cma=384M console=ttyS0,115200n8 console=tty quiet 
audit=1

I'm not sure what I need to do to get the audit transport available for systemd-journald on my rpi's. I have the auditd.service and systemd-journald-audit.socket enabled and active on all my systems. If you need any other infos just let me know, thank you.

Edge-Case
  • 53

1 Answers1

3

I would check these things:

  • The systemd-journald-audit.socket is configured to listen to a socket using the AF_NETLINK protocol. If systemctl status systemd-journald-audit.socket is not active, then systemd-journald.service is not using it.

  • Ensure systemd-journald-audit.socket is included inSockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket in the systemd-journald.service definition.

    If missing from your default systemd-journald.service, create an override at /etc/systemd/system/systemd-journald.service.d/override.conf:

    # systemctl edit systemd-journald.service
[Service]
Sockets=
Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
# systemctl restart systemd-journald.service

  • audit=0 has not been set as a kernel parameter. Check with cat /proc/cmdline.

Verify that audit is now in your set of field type _TRANSPORT

# journalctl --field _TRANSPORT
stdout
kernel
syslog
journal
audit
driver
Jonathan Komar
  • 551