Remote logging with autitd
Steve Grubb
sgrubb at redhat.com
Fri Nov 14 02:44:53 UTC 2014
On Thursday, November 13, 2014 11:23:59 PM Wouter van Verre wrote:
> However, in my plugin I only seems to receive data from the central (i.e.
> local) server...
The feed to audispd, right now, is before receiving remote events. Meaning
that audispd only sees local events and never aggregate events...as things are
now.
> I draw this conclusion both because I see only one node name, and also
> because I generate TTY events on the client server only (and they show in
> /var/log/audit/audit.log as expected), and these do not show in the output
> from my plugin. Is this the expected behaviour?
Today, yes.
> Are plugins only supposed to receive the locally generated audit events? If
> it is, is there a way to forward the remotely generated data to a plugin on
> the central server?
Yes, and it would take some changes to the listening code to insert the events
at the right point in the event loop.
-Steve
More information about the Linux-audit
mailing list