audit collector startup help
LC Bruzenak
lenny at magitekltd.com
Fri Sep 12 16:50:31 UTC 2008
On Tue, 2008-09-09 at 14:36 -0400, DJ Delorie wrote:
> > Is there a HOWTO for activating the 1.7.5 aggregating feature?
>
> Just the man pages.
>
> > I believe that the collector needs to uncomment the lines
> > in /etc/auditd/auditd.conf and the senders/clients need to set
> > active=yes, remote=<IP-address> in the audisp-remote.conf file.
>
> The collector needs the listener configured in /etc/audit/auditd.conf:
>
> tcp_listen_port = 1237
>
> The clients need the audisp-remote module enabled and configured:
>
> /etc/audisp/plugins.d/au-remote.conf:
> active = yes
>
> /etc/audisp/audisp-remote.conf:
> remote_server = 192.16.1.12 (your server's IP, not mine ;)
> port = 1237 (or use some other port, up to you)
> transport = tcp
>
> Additional options:
> format = managed
> network_retry_time = 1
> max_tries_per_record = 10
> max_time_per_record = 7
DJ,
Thanks for the above. The network_retry_time (et. al.) must be in the
later version.
I have: audispd-plugins-1.7.5-1.fc9.x86_64 ; there is no mention of that
one in the man page and I get this message on startup:
Sep 12 11:43:48 comms audisp-remote: Unknown keyword "network_retry_time" in line 14 of /etc/audisp/audisp-remote.conf
Sep 12 11:43:48 comms auditd[4411]: Init complete, auditd 1.7.5 listening for events (startup state enable)
Sep 12 11:43:48 comms audispd: plugin /sbin/audisp-remote terminated unexpectedly
So I Removed the timing parameters.
Now I get this:
...
Sep 12 11:46:20 comms audisp-remote: lost/losing sync, bad magic number
Sep 12 11:46:20 comms audisp-remote: lost/losing sync, bad magic number
...
I do not see any errors in the message log on the collector.
Any ideas?
Thx again!
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list