Help with auditd.conf

Kevin Boyce kevin.boyce at ngc.com
Tue Apr 29 19:51:01 UTC 2008 

I think Ed is correct.  You should have a couple of lines in snare.conf
with the following.

file=<path to logfile>
network=<remote hostname or ip>:<port>

you can comment out either one or leave both.  you may even be able to
specify more than one of each, but I haven't tried that.

kevin

On Tue, 2008-04-29 at 11:43 -0700, Greg Herrmann wrote:

> Which version of Snare are you running?  If it's on an RHEL 5 server,
> I would assume version 1.3.  If so, shouldn't you be
> modifying /etc/snare.conf in order to do this?  
> 
> Ed Christiansen <edwardc at ll.mit.edu> wrote:
> 
>         Do you REALLY want to do this? your filesystem
>         will just have more space taken up with duplicate
>         information.
>         
>         Scott Ehrlich wrote:
>         > Hello to all:
>         > 
>         > I have Snare Agent and audit 1.5.2 running on a CentOS 5.0
>         box and a RHEL
>         > 5.0 server. I ideally would like audit logs to be sent to
>         both the
>         > system's local audit.log file and to a log server. I
>         reviewed the
>         > /etc/audit/auditd.conf file and tried to play with things
>         and move things
>         > around, but an active watch of my log
>         server's /var/log/syslog and local
>         > machine's audit.log does NOT show simultaneous activity,
>         leading me to
>         > think it is either one way or the other, and that
>         simultaneous local and
>         > remote logging is not possible.
>         > 
>         > Is there a way to get both?
>         > 
>         > Thanks.
>         > 
>         > Scott
>         > 
>         > --
>         > Linux-audit mailing list
>         > Linux-audit at redhat.com
>         > https://www.redhat.com/mailman/listinfo/linux-audit
>         
>         --
>         Linux-audit mailing list
>         Linux-audit at redhat.com
>         https://www.redhat.com/mailman/listinfo/linux-audit
> 
> 
> 
> 
> 
> ______________________________________________________________________
> Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try
> it now.
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20080429/591c43cd/attachment.htm>

More information about the Linux-audit mailing list