Hi everyone,
We're using Chronicle (Google SecOps) as our SIEM, with a log forwarder configured to receive syslog data (on UDP port 10519) — including auditd logs (on UDP port 10518).
We now want to reliably forward auditd logs to syslog on RHEL 8 and RHEL 9 systems, so they can be ingested by Chronicle through the forwarder.
What We Found
We’ve reviewed the official documentation:
https://cloud.google.com/chronicle/docs/ingestion/auditd
However:
It focuses on Debian/Ubuntu systems only
Most other tutorials we found are outdated or rely on deprecated components like audispd-plugins
Our Goal
Use the native auditd configuration on RHEL 8/9
Forward audit logs to rsyslog, which then sends them to Chronicle
Avoid deprecated or unnecessary plugins if possible
What We’re Asking
What’s the recommended way on RHEL 8/9 to forward auditd logs to rsyslog?
Should we still use audisp-syslog, or is there a more modern alternative?
Is there any validated or community-tested setup specifically for RHEL systems?
Thanks in advance for your support
We’re aiming to implement this cleanly and will gladly share back an updated guide once it's working.
