Sending audit logs to remote syslog
urgrue
urgrue at bulbous.org
Sat Nov 6 10:43:34 UTC 2010
Hi,
I'm trying to get audisp to forward logs to a remote syslog server,
using the au-remote plugin.
Is there any way to make this work directly, or is my only choice to go
through the local syslog and forward from there?
With the below settings I can indeed get the stop/start messages of
audit in my remote syslog, though slightly garbled, but nothig else.
Presumably it recognizes the failure and gives up?
And no, unfortunately I can't use auditd to listen on the remote host,
it has to be syslog.
au-remote.conf:
active = yes
direction = out
path = /sbin/audisp-remote
type = always
format = string
audisp-remote.conf:
remote_server = <remote server name>
port = 514
transport = tcp
mode = immediate
queue_depth = 200
format = managed
network_retry_time = 1
max_tries_per_record = 3
max_time_per_record = 5
heartbeat_timeout = 0
network_failure_action = stop
disk_low_action = ignore
disk_full_action = ignore
disk_error_action = syslog
remote_ending_action = suspend
generic_error_action = syslog
generic_warning_action = syslog
enable_krb5 = no
krb5_client_name = auditd
More information about the users
mailing list