LOG_WARN or LOG_WARNING?
Ryan Sawhill
rsawhill at redhat.com
Tue Oct 4 15:51:36 UTC 2016
On Tue, Oct 4, 2016 at 11:29 AM, leam hall <leamhall at gmail.com> wrote:
> If I put "audit.none" in /etc/rsyslog.conf for the /var/log/messages line,
> it prevents audisp from logging there even though audisp to syslog is
> turned on.
>
I find that hard to believe, since "audit" is not a facility name and
that's what rsyslog is expecting and the message I wrote IS what rsyslog
prints when you give an invalid facility name, but okay.
> Our end state is pretty simple, in theory. We want to have 1 copy of audit
> events on the system for auditing and send a remote copy elsewhere.
>
Hopefully Steve and friends won't mind that we're so off-topic here, but I
would approach that differently if I were you.
Assuming you're using the rsyslog.conf that comes with RHEL (which includes
/etc/rsyslog.d/*.conf before the main directives like the /var/log/messages
action line):
echo -e 'if $programname == "audispd" then @remotehost\n& ~' >
/etc/rsyslog.d/audit.conf
Note that if you change the syslog plugin to use one of the local facility
names (and not just change the priority as we discussed earlier), then you
could have rsyslog filter on that instead of the programname -- benefit
being that it will get you closer to only matching on actual audit records.
All that said, if you really want to send audit records to a central host,
I hope you've at least considered using auditd's own native functionality.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20161004/c826d922/attachment.htm>
More information about the Linux-audit
mailing list