Security

Apologizes if this is a repeat.  I am trying to send the Clearpass Audit and Session events to a rsyslog sever running RHEL 8.  The Clearpass, system events (using the Clearpass system export filter) are successfully written to the syslog file however, the audit and session events ( exported via their appropriate export filter) are not getting written to a file in the rsyslog server.  I can see the events arriving at the rsyslog server via tcpdump and I am trying to figure out how to get these events to write to a file.  I suspect this may be a Linux issue where audit logs are treated differently from syslog. I am hoping that someone has seen this same issue when configuring their clearpass server to export events and can point me in the correct direction.

Yes, it's rhel issue. syslog of audit evens are disabled by default. 

Usually audit events are logged into audit.log file not in syslog.

One way can be from quick google search https://serverfault.com/questions/202044/sending-audit-logs-to-syslog-server:

The most secure and correct method is to use the audispd syslog plugin and/or audisp-remote.

To quickly get it working you can edit /etc/audisp/plugins.d/syslog.conf. RHEL includes this by default, though it is disabled. You need only change one line to enable it, active = yes.

active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string

Hope it will help.

Best, Gorazd