Skip to main content
Solved

[Bindplane Linux Agent] Auditd log collection does not send hostname

  • November 26, 2024
  • 2 replies
  • 88 views
ottimo
Forum|alt.badge.img+1

Hi all,

I find BindPlane Agent and BindPlane OP a great solution to manage log collection process.

I have an issue with the auditd log: the agent sent the data without any information about the host that generated the log. So, inside the Google SecOps SIEM, I cannot understand which server sent that log.

I use the file receiver to read the /var/log/audit/audit.log file and the chronicle exporter to send it to the SIEM.

Had anyone the same issue?

Thank you all.

Best, 

Matteo

Best answer by cbryant

You will want to edit your Auditd config file to include the hostname. You should be able to do that by adding the following line to /etc/audit/auditd.conf then restart the auditd service:

 

name_format = hostname

 

ref: https://man7.org/linux/man-pages/man5/auditd.conf.5.html#:~:text=a%20space%20check.-,name_format,-This%20option%20controls

2 replies

C
Forum|alt.badge.img+4
  • cbryantBronze 1
  • Bronze 1
  • Answer
  • November 26, 2024

You will want to edit your Auditd config file to include the hostname. You should be able to do that by adding the following line to /etc/audit/auditd.conf then restart the auditd service:

 

name_format = hostname

 

ref: https://man7.org/linux/man-pages/man5/auditd.conf.5.html#:~:text=a%20space%20check.-,name_format,-This%20option%20controls

    matthewnichols
    Community Manager
    Forum|alt.badge.img+16
    • matthewnicholsCommunity Manager
    • Community Manager
    • April 4, 2025

    Hi @ottimo we just embedded our Bindplane and Data Pipeline Management webinar. Check it out here. Hopefully it helps with some of your other uses cases as you leverage these features. 

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.