Rsyslog
testing output sql0 being my syslog server receiving audit messages from login0
[ec2-user@CICD_HPCasCode_rsyslog-sql0 ~]$ sudo tail -n 10 /var/log/messages
Feb 25 11:22:47 CICD_HPCasCode_rsyslog-login0 tag_audit_log: type=USER_ERR msg=audit(1614212567.473:5902): pid=727 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=221.181.185.29 addr=221.181.185.29 terminal=ssh res=failed'
Feb 25 11:22:47 CICD_HPCasCode_rsyslog-login0 tag_audit_log: type=CRYPTO_KEY_USER msg=audit(1614212567.474:5903): pid=727 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:72:fa:b7:99:9f:d7:21:82:f5:49:eb:42:8a:70:5a:8a:9a:88:be:b8:b0:7c:63:2d:d2:2c:4b:8b:ba:4f:a4:f5 direction=? spid=727 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Feb 25 11:22:47 CICD_HPCasCode_rsyslog-login0 tag_audit_log: type=CRYPTO_KEY_USER msg=audit(1614212567.474:5904): pid=727 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:28:1b:da:90:c8:3a:ba:92:38:ae:de:e7:08:f9:64:ea:cb:e2:82:be:17:4a:4b:07:bb:ce:b3:49:38:11:a2:2f direction=? spid=727 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Feb 25 11:22:47 CICD_HPCasCode_rsyslog-login0 tag_audit_log: type=CRYPTO_KEY_USER msg=audit(1614212567.474:5905): pid=727 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:30:3c:dc:c3:40:c5:ff:18:c6:60:1e:18:33:63:e4:86:d8:f2:67:d0:3c:fd:3f:61:02:8c:2f:e2:b8:11:e6:7a direction=? spid=727 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Feb 25 11:22:47 CICD_HPCasCode_rsyslog-login0 tag_audit_log: type=USER_LOGIN msg=audit(1614212567.474:5906): pid=727 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="root" exe="/usr/sbin/sshd" hostname=? addr=221.181.185.29 terminal=ssh res=failed'
Feb 25 11:22:54 CICD_HPCasCode_rsyslog-sql0 systemd-logind: Removed session 4.