<div dir="ltr"><br><div class="gmail_extra"><br></div><div class="gmail_quote">On Tue, Oct 4, 2016 at 11:51 AM, Ryan Sawhill <span dir="ltr"><<a href="mailto:rsawhill@redhat.com" target="_blank">rsawhill@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span>On Tue, Oct 4, 2016 at 11:29 AM, leam hall <span dir="ltr"><<a href="mailto:leamhall@gmail.com" target="_blank">leamhall@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><div>If I put "audit.none" in /etc/rsyslog.conf for the /var/log/messages line, it prevents audisp from logging there even though audisp to syslog is turned on.</div></blockquote><div><br></div></span><div>I find that hard to believe, since "audit" is not a facility name and that's what rsyslog is expecting and the message I wrote IS what rsyslog prints when you give an invalid facility name, but okay.<br></div></div></div></div></blockquote><div><br></div><div>I found it odd as well, but it does seem to work.</div><div><br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><div dir="ltr"><div class="gmail_extra">All that said, if you really want to send audit records to a central host, I hope you've at least considered using auditd's own native functionality.<br></div></div>
</blockquote></div><div class="gmail_extra"><br>Wasn't aware of it. Pointer to a doc?</div><div class="gmail_extra"><br></div><div class="gmail_extra">Thanks!</div><div class="gmail_extra"><br></div><div class="gmail_extra">Leam<br clear="all"><br>-- <br></div><div class="gmail_signature" data-smartmail="gmail_signature"><div><a href="http://leamhall.blogspot.com/" target="_blank">Mind on a Mission</a></div></div><div class="gmail_extra">
</div></div>