More info on remote logging
Konstantin Ryabitsev
icon at fedoraproject.org
Tue May 18 15:05:55 UTC 2010
On Tue, May 18, 2010 at 10:43 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Tuesday 18 May 2010 10:27:32 am Konstantin Ryabitsev wrote:
>> I'm interested in sending audit logs to a central logging server. One
>> option is using the builtin syslog plugin for audisp, but I also see
>> audisp-remote that mentions sending logs to a remote server.
>> Unfortunately, I'm having trouble finding more information about that
>> (such as "what kind of a remote server" and "how do you set up a
>> remote server").
>
> auditd is the remote server. Look at the auditd.conf man page starting at the
> tcp_listen_port entry to see what options you have available. One thing to
> note, I do not enable the kerberos support right now on any Red Hat or Fedora
> release.
Ah, okay -- I suspected as such but wanted to make sure. Is there a
way to send audit data encrypted if kerberos is not enabled?
>> Also a suggestion -- the syslog plugin for audisp doesn't specify the
>> facility, so the default facility (LOG_USER) is used. Perhaps this can
>> be made configurable so I could configure syslog to only send audit
>> logs to remote without duplicating them in /var/log/messages (e.g. set
>> facility to local9 and only send it to a remote server, not locally)?
>
> Sure. If you want to file a RFE bugzilla, please do.
Created as
https://bugzilla.redhat.com/show_bug.cgi?id=593340
Thanks!
--
McGill University IT Security
Konstantin "Kay" Ryabitsev
Montréal, Québec
More information about the Linux-audit
mailing list