audit messages to syslog

Sat Oct 15 23:18:36 UTC 2011

On Sat, Oct 15, 2011 at 7:13 PM, Kevin Fenzi <kevin at scrye.com> wrote:

> We would need to setup a new server/port/firewall rule however?
> I didn't find any good/easy/simple doc on setting up a central audit
> server. Do you know of any? Otherwise I can set one up here at home and
> play around with it.

I don´t remember seeing much documentation for it, but AFAIK it´s just
a matter of defining a tcp_listen_port in /etc/audit/auditd.conf to
have it listen and collect.

       tcp_listen_port
              This is a numeric value in the range 1..65535 which,  if  speci-
              fied,  causes auditd to listen on the corresponding TCP port for
              audit records from remote  systems.  The  audit  daemon  may  be
              linked  with  tcp_wrappers. You may want to controll access with
              an entry in the hosts.allow and deny files.

  -jf