audisp-remote and audisp-prelude question

[Steve Grubb]

On Tuesday 24 March 2009 12:29:48 LC Bruzenak wrote:
> On the prewikka screen I only see the second event.

prelude is its own protocol and picks out certain data from its config files and 
puts in its packets. The intended use is each machine sends its prelude alerts 
to a common prelude manager. Each audit event is sent to its aggregator. The 
two systems diverge at audispd.

kernel->auditd->audispd-+->audisp-prelude->prelude-manager
                                               +->audisp-remote->auditd

-Steve