audit collection

[DJ Delorie]

> Sep 15 11:48:14 comms audispd: queue is full - dropping event
> 
> I assume this indicates the problem - sending isn't happening so the
> audispd queue fills.

Yes, this means nothing is getting across the network.  Have you tried
running tcpdump on the client side?  Or running gdb on the running
audisp-remote to see where it's stuck.

> I'd have expected an audisp syslog error though.

I do log all the errors I could detect, so I don't know what's
happening here.  Those syslog errors are likely from audisp itself,
not the remote plugin.

It would help if you could try it between two 32 bit hosts.  At least
that would remove the "int size bug" possibility.