Remote logging with autitd
LC Bruzenak
lenny at magitekltd.com
Sun Nov 2 21:25:50 UTC 2014
On 11/02/2014 03:16 PM, Wouter van Verre wrote:
> Hi Steve,
>
> Many thanks for your response.
> I will be reading the presentation and the examples in the tarball and
> go from there for implementing my processing plugin.
>
> Regarding the logging to disk on the central server:
> I have node names set up for both servers now and am now getting the
> following behaviour:
> On the client server I can see the events being prefixed with
> node=Elephant in the log on that server.
> On the central server I can see that local events are being
> prefixed with node=Mongoose.
> However, events that were sent to the central server by the client
> server show up in the central server's log with
> node=localhost.localdomain. So it seems that the node information
> gets lost between the client and central server?
>
> Would you have any idea why the node information is lost?
>
>
> Many thanks,
>
> Wouter
Check /etc/audisp/audispd.conf on your client.
Look at the line with "name_format=" and it probably says "hostname"
(case insensitive).
Test this by checking "% hostname" command on your client.
See the audispd.conf man page for more info.
LCB
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20141102/3f8d392c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2193 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20141102/3f8d392c/attachment.p7s>
More information about the Linux-audit
mailing list