audit collector startup help
DJ Delorie
dj at redhat.com
Tue Sep 9 18:36:55 UTC 2008
> Is there a HOWTO for activating the 1.7.5 aggregating feature?
Just the man pages.
> I believe that the collector needs to uncomment the lines
> in /etc/auditd/auditd.conf and the senders/clients need to set
> active=yes, remote=<IP-address> in the audisp-remote.conf file.
The collector needs the listener configured in /etc/audit/auditd.conf:
tcp_listen_port = 1237
The clients need the audisp-remote module enabled and configured:
/etc/audisp/plugins.d/au-remote.conf:
active = yes
/etc/audisp/audisp-remote.conf:
remote_server = 192.16.1.12 (your server's IP, not mine ;)
port = 1237 (or use some other port, up to you)
transport = tcp
Additional options:
format = managed
network_retry_time = 1
max_tries_per_record = 10
max_time_per_record = 7
You'll have to enable the connection through tcp_wrappers as well, if
you have that option enabled, as well as whatever firewall rules may
apply.
> However, my collector auditd fails on start;
Messages?
More information about the Linux-audit
mailing list