Audisp-remote - connection refused.
Rituraj Buddhisagar
rituraj at vayana.com
Mon Oct 2 19:51:51 UTC 2017
Additional info:
I doubt that the daemon is only listening on localhost and not accepting
remote.
# lsof -i :6999
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
audisp-re 9624 root 3u IPv4 37642 0t0 TCP 192.168.103.7:6999->
192.168.103.7:6999 (ESTABLISHED)
Btw, no iptables is running on the host. Also no tcpwrappers.
Regards
Best Regards,
Rituraj B
On Tue, Oct 3, 2017 at 12:25 AM, Rituraj Buddhisagar <rituraj at vayana.com>
wrote:
> Hi
>
> I tried my best to configure the audisp-remote.
> I am getting below error on the client machine in /var/log/syslog.
>
> Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7:
> Connection refused
>
>
> 192.168.103.7 is the IP address of the central log server.
>
> Notes: My settings are below:
>
> on server as well on client:
> /etc/audisp/audisp-remote
>
> remote_server = 192.168.103.7
> port = 6999
> local_port = 6999
> transport = tcp
> queue_file = /var/spool/audit/remote.log
> mode = immediate
> queue_depth = 2048
> format = ascii
> network_retry_time = 100
>
>
> I have enabled name_format=HOSTNAME only in one place (in
> /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf
>
> entries in auditd.conf:
>
> rtcp_listen_port = 6999
> tcp_listen_queue = 5
> tcp_max_per_addr = 10
> tcp_client_ports = 0-65535
> tcp_client_max_idle = 0
>
>
> I see the server is listening on the port 6999 as below but its not
> accepting client request.
> root at logs:/etc# lsof -i :6999
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> audisp-re 9091 root 3u IPv4 33671 0t0 TCP 192.168.103.7:6999->
> 192.168.103.7:6999 (ESTABLISHED)
>
>
>
> Best Regards,
> Rituraj B
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20171003/6194f297/attachment.htm>
More information about the Linux-audit
mailing list