Help with auditd.conf
Tony Jones
tonyj at suse.de
Tue Apr 29 19:01:20 UTC 2008
Scott Ehrlich wrote:
> Hello to all:
> I have Snare Agent and audit 1.5.2 running on a CentOS 5.0 box and a RHEL
> 5.0 server. I ideally would like audit logs to be sent to both the
> system's local audit.log file and to a log server. I reviewed the
> /etc/audit/auditd.conf file and tried to play with things and move things
> around, but an active watch of my log server's /var/log/syslog and local
> machine's audit.log does NOT show simultaneous activity, leading me to
> think it is either one way or the other, and that simultaneous local and
> remote logging is not possible.
> Is there a way to get both?
> Thanks.
> Scott
It's not possibly directly. The kernel will log to syslog if there is no
auditd running but normally, with auditd running it'll log to auditd but
what you are trying to achieve is the reason the displatcher (audispd) was
created. If you don't want to use one of the existing modules, you could
easily create your own which just relays to the local syslog.
Tony
More information about the Linux-audit
mailing list