I looked this up on CentOS 7.
According to man auditctl
you could check for the euid to filter out more specific for the user juser.
As you have not specified, and also for the benefit of other readers, I will describe what to do using syslog-ng and rsyslog to have a server logging simultaneously to two remote syslog servers.
If you have syslog-ng logging to a central syslog server, modify /etc/syslog-ng.conf
As an example:
source s_src { unix-dgram("/dev/log"); internal();
file("/proc/kmsg" program_override("kernel"));
};
destination d_loghost {udp("10.10.1.1" port(514));};
log { source(s_src); destination(d_loghost); };
To syslog to a 2nd destination, add:
destination d_loghost2 {udp("10.10.1.2" port(514));};
log { source(s_src); destination(d_loghost2); };
If running rsyslog
, then actually it is simpler.The configuration file is /etc/rsyslog.conf
Where you find a destination:
*.* @10.10.1.1:514
you add a 2nd destination:
*.* @10.10.1.2:514
After changing the configuration, the syslog daemons in the client side need to be restart. Being it respectively,
sudo service syslog-ng restart
or
sudo service rsyslog restart
As the syslog daemon sends all messages to all destinations configured, unless you explicitly filter out services or log levels, you do not need to configure anything else [in the client side]. Both will receive exactly the same logs.
Best Answer
Edit
/etc/audisp/plugins.d
and changeargs = LOG_INFO
to this:args = local6
Then edit
/etc/rsyslog.conf
and addlocal6
to the "some catch-all log files" block so it's like this:Also change the line
args =
in/etc/audisp/plugins.d
to:args = LOG_LOCAL6
This was adapted from this post.