Skip to content

Add-on fixes for linux / privileged #266

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 13, 2025
Merged

Add-on fixes for linux / privileged #266

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
127 changes: 104 additions & 23 deletions docs/auditor/10.8/addon/linux/overview.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,38 +6,119 @@ sidebar_position: 120

# Linux Generic Syslog

The add-on works in collaboration with Netwrix Auditor, supplying data about activity on your
Linux-based devices. Aggregating data into a single audit trail simplifies analysis, makes activity
monitoring more cost effective, and helps you keep tabs on your IT infrastructure.
The add-on works in collaboration with Netwrix Auditor, supplying data about activity on your Linux-based devices. Aggregating data into a single audit trail simplifies analysis, makes activity monitoring more cost effective, and helps you keep tabs on your IT infrastructure.

Implemented as a service, this add-on facilitates the data transition from Linux-based systems to
Netwrix Auditor. All you have to do is provide connection details and specify parsing rules.
Implemented as a service, this add-on facilitates the data transition from Linux-based systems to Netwrix Auditor. All you have to do is provide connection details and specify parsing rules.

On a high level, the add-on works as follows:

**Step 1 –** The add-on listens to the specified UDP ports and captures designated Syslog messages.
**Step 1** – The add-on listens to the specified UDP ports and captures designated Syslog messages.

**Step 2 –** Out of the box, messages from Red Hat Enterprise Linux 7 and 6, SUSE Linux Enterprise
Server 12, openSUSE42, and Ubuntu 16 are supported. For other distributions, deployment of the
rsyslog package may be required. You can edit the add-on configuration to extend the captured
message list.
**Step 2** – Out of the box, messages from Red Hat Enterprise Linux 6, 7, 8, 9, SUSE Linux Enterprise Server 12, openSUSE 42, and Ubuntu 16 are supported. For other distributions, deployment of the rsyslog package may be required. You can edit the add-on configuration to extend the captured message list.

**Step 3 –** The add-on processes these events into Netwrix Auditor-compatible format (Activity
Records). Each Activity Record contains the user account, action, time, and other details.
**Step 3** – The add-on processes these events into Netwrix Auditor-compatible format (Activity Records). Each Activity Record contains the user account, action, time, and other details.

**Step 4 –** Using the Integration API, the add-on sends the activity records to the Netwrix Auditor
Server, which writes them to the Long-Term Archive and the Audit Database.
**Step 4** – Using the Integration API, the add-on sends the activity records to the Netwrix Auditor Server, which writes them to the Long-Term Archive and the Audit Database.

See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the structure
of the Activity Record and the capabilities of the NIntegration API.
See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the structure of the Activity Record and the capabilities of the Integration API.

## Prerequisites

Before running the add-on, ensure that all the necessary components and policies are configured as
follows:
Before running the add-on, ensure that all the necessary components and policies are configured as follows:

| On... | Ensure that... |
| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| The Netwrix Auditor Server side | - The Audit Database settings are configured in Auditor Server. - The TCP **9699** port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Contributor role in Auditor. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. |
| The computer where the add-on will be installed | - The UDP 514 port is open for inbound connections. **CAUTION:** UPD 514 port can only be used by one service, otherwise the following error will occur: [ERROR] Error occurred when starting the syslog udp listener. Only one usage of each socket address (protocol/network address/port) is normally permitted - .Net Framework [3.5 SP1](http://www.microsoft.com/en-us/download/details.aspx?id=22), [4.0](https://www.microsoft.com/en-us/download/details.aspx?id=17851), [4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653), or [4.6](https://www.microsoft.com/en-us/download/details.aspx?id=48130) is installed. |
| On the target syslog-based platform | Outbound UDP 514 port must be enabled. The **Syslog daemon** must be configured to redirect events. The procedure below explains how to configure redirection. **NOTE:** Red Hat Enterprise Linux 7 and 6, SUSE Linux Enterprise Server 12, openSUSE 42, and Ubuntu 16 are supported out of the box. For other distributions, deployment of the rsyslog package may be required. - On Red Hat Enterprise Linux 7, perform the following steps: **Step 5 –** Open the **/ etc/ rsyslog.conf** file. **Step 6 –** Add the following line: `auth.*;authpriv.* @name:514;RSYSLOG_SyslogProtocol23Format` where **name** is a FQDN, Net BIOSname or IP address of the computer where Netwrix Auditor Server is installed. For example: `auth.*;authpriv.* @172.28.18.25:514;RSYSLOG_SyslogProtocol23Format` **Step 7 –** Launch the **RHEL console** and execute the following command: `service rsyslog restart` - On Ubuntu 16, perform the following steps: **Step 1 –** Navigate to the **/ etc/ rsyslog.d/ 50-default.conf** file. **Step 2 –** Add the following line: `auth.*;authpriv.* @name:514;RSYSLOG_SyslogProtocol23Format` where **name** is a FQDN, Net BIOSname or IP address of the computer where Netwrix Auditor Server is installed. For example: `auth.*;authpriv.* @172.28.18.25:514;RSYSLOG_SyslogProtocol23Format` **Step 3 –** Launch the **UBUNTU console** and execute the following command: `service rsyslog restart` |
### The Netwrix Auditor Server side

- The Audit Database settings are configured in Auditor Server.
- The TCP **9699** port (default Auditor Integration API port) is open for inbound connections.
- The user retrieving data from the Audit Database is granted the Contributor role in Auditor. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product.
- The UDP **514** port is open for inbound connections.

**CAUTION:** UDP 514 port can only be used by one service, otherwise the following error will occur:

```
[ERROR] Error occurred when starting the syslog udp listener. Only one usage of each socket address (protocol/network address/port) is normally permitted
```

- .NET Framework [4.7.2](https://www.microsoft.com/en-us/download/details.aspx?id=48130) is installed.

### On the target syslog-based platform

- Outbound UDP **514** port must be enabled.
- The **Syslog daemon** must be configured to redirect events. The procedure below explains how to configure redirection.

**NOTE:** The deployment of the rsyslog package may be required.

#### Configuration for RHEL 6-8 Linux Server

**Step 1** – Ensure that rsyslog is installed. If not, install it using the following command:

```bash
sudo yum install rsyslog
```

**Step 2** – Open the `/etc/rsyslog.conf` file.

**Step 3** – Add the following line:

```
auth.*;authpriv.* @name:514;RSYSLOG_SyslogProtocol23Format
```

where **name** is a FQDN, NetBIOS name or IP address of the computer where Netwrix Auditor Server is installed.

For example:

```
auth.*;authpriv.* @172.28.18.25:514;RSYSLOG_SyslogProtocol23Format
```

**Step 4** – Save the file and restart the rsyslog service:

```bash
sudo service rsyslog restart
```

To verify the service is running:

```bash
sudo service rsyslog status
```

#### Configuration for Ubuntu and RHEL 9+

**Step 1** – Ensure that rsyslog is installed. If not, install it using the appropriate command:

For Ubuntu/Debian:

```bash
sudo apt-get update
sudo apt-get install rsyslog
```

For RHEL 9+:

```bash
sudo dnf install rsyslog
```

**Step 2** – Navigate to the `/etc/rsyslog.d/50-default.conf` file.

**Step 3** – Add the following line:

```
auth.*;authpriv.* @name:514;RSYSLOG_SyslogProtocol23Format
```

where **name** is a FQDN, NetBIOS name or IP address of the computer where Netwrix Auditor Server is installed.

For example:

```
auth.*;authpriv.* @172.28.18.25:514;RSYSLOG_SyslogProtocol23Format
```

**Step 4** – Save the file and restart the rsyslog service:

```bash
sudo systemctl restart rsyslog
```
Loading