More info on remote logging
Steve Grubb
sgrubb at redhat.com
Tue May 18 14:43:24 UTC 2010
On Tuesday 18 May 2010 10:27:32 am Konstantin Ryabitsev wrote:
> I'm interested in sending audit logs to a central logging server. One
> option is using the builtin syslog plugin for audisp, but I also see
> audisp-remote that mentions sending logs to a remote server.
> Unfortunately, I'm having trouble finding more information about that
> (such as "what kind of a remote server" and "how do you set up a
> remote server").
auditd is the remote server. Look at the auditd.conf man page starting at the
tcp_listen_port entry to see what options you have available. One thing to
note, I do not enable the kerberos support right now on any Red Hat or Fedora
release.
> Also a suggestion -- the syslog plugin for audisp doesn't specify the
> facility, so the default facility (LOG_USER) is used. Perhaps this can
> be made configurable so I could configure syslog to only send audit
> logs to remote without duplicating them in /var/log/messages (e.g. set
> facility to local9 and only send it to a remote server, not locally)?
Sure. If you want to file a RFE bugzilla, please do.
> Currently that's not possible and I end up wasting space by having
> audit logs both in /var/log/audit/audit.log and in /var/log/messages.
> Turning off af_unix is an option, but that has a significant drawback
> of complicating ausearch/aureport.
-Steve
More information about the Linux-audit
mailing list