Sending audit logs to remote syslog

urgrue urgrue at bulbous.org
Sat Nov 6 10:43:34 UTC 2010


Hi,
I'm trying to get audisp to forward logs to a remote syslog server, 
using the au-remote plugin.

Is there any way to make this work directly, or is my only choice to go 
through the local syslog and forward from there?

With the below settings I can indeed get the stop/start messages of 
audit in my remote syslog, though slightly garbled, but nothig else. 
Presumably it recognizes the failure and gives up?

And no, unfortunately I can't use auditd to listen on the remote host, 
it has to be syslog.

au-remote.conf:
active = yes
direction = out
path = /sbin/audisp-remote
type = always
format = string

audisp-remote.conf:
remote_server = <remote server name>
port = 514
transport = tcp
mode = immediate
queue_depth = 200
format = managed
network_retry_time = 1
max_tries_per_record = 3
max_time_per_record = 5
heartbeat_timeout = 0
network_failure_action = stop
disk_low_action = ignore
disk_full_action = ignore
disk_error_action = syslog
remote_ending_action = suspend
generic_error_action = syslog
generic_warning_action = syslog
enable_krb5 = no
krb5_client_name = auditd




More information about the users mailing list