TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: Endpoint Operating System Logs
ENVIRONMENT: Linux Operating System Endpoints
SUMMARY: Configuration Guide for Collecting Linux Flat File Logs
Warning! Most Linux distributions do not have sufficient logging on by default, so you may need to manually enable the AuditD or JournalD log source. Please contact your Linux distro's support or refer to their documentation for instructions on how to turn those logging sources on.
Caution: by default AuditD and JournalD may not post new entries in SIEM very often. If you're not seeing any data 30 minutes after setting up a new source you may need to manually cause a SIEM event by starting and stopping AuditD, or by remotely logging into your JournalD machine(s).
Vendor Information
| Vendor | General Linux Distributions |
|---|---|
| Collection Method | Huntress Agent |
| Query Syntax: | event.provider == "Linux" |
| Billable Sources Calculation | 1 Log Source per Endpoint |
| Additional Information |
|
Source Configuration
Install the Huntress Agent on each Linux Endpoint
In order to collect Linux Flat Files, the Huntress Agent must be installed on each Linux endpoint that needs logging, and entitled (aka licensed) for SIEM. AuditD or JournalD must also be turned on as they are often not on by default. You may need to reach out to your distro's support or online documentation in order to determine which of these are available for your OS, how to turn them on, and how to verify they're on.
Create the Huntress SIEM Integration
- Navigate to Huntress SIEM -> Source Management -> Linux Event Logs
- Navigate to the Endpoint Status tab.
- Either enable "Collection Enabled by Default" or "Collection Disabled by Default"
- If Enabled by Default, override to disable any organizations or organization endpoints as needed. If Disabled by Default, override to enable any organizations or organization endpoints as needed.
-
After about 30 minutes, the configuration updates should be shown as new log sources in your Source Management page. If you don't see any new data within 30 minutes, verify AuditD and/or JournalD are running on your system.
Important Information
Huntress Managed SIEM currently collects Linux logs from the AuditD log and/or JournalD (this varies by distro!). Specifically the JournalD subscription includes SSHD, POLKITD, and CROND. These are the core contributors of security relevant logging on the Linux operating system.