Audisp-remote - connection refused.

Rituraj Buddhisagar rituraj at vayana.com
Wed Oct 4 14:01:49 UTC 2017 

Hi Steve / List

Now, I have built auditd from source as per the mail thread and then also
created a startup script.

The auditd is starting successfully.

The client is able to connect to the aggregating server.


*node=guslogs type=DAEMON_ACCEPT msg=audit(1507125123.240:7272):
addr=192.168.103.2 port=60 res=success*


I have made the necessary change in the server in /etc/audit/auditd.conf


*log_format = NOLOG*

I do not see any logs being populated - I checked log file on client, the
server - also the /var/spool/audit/remote.log on the client.
On the server side /var/spool/audit/remote.log is empty (I am not sure if
this is something I should be checking at all)

I am clueless as to what is happening. Is there some way to debug this?
Where are these logs getting lost?
When change the log_format back to RAW I do see the logs getting created on
the client.

I did my best reading on net and debugging this - but no success. Please
help.




On Wed, Oct 4, 2017 at 1:52 AM, Steve Grubb <sgrubb at redhat.com> wrote:

> On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote:
> > Steve,
> >
> > Here is the relevant discussion on disabling the tcp listener on Ubuntu.
> > https://www.redhat.com/archives/linux-audit/2012-September/msg00027.html
> >
> > I do not know what exactly caused change - but now I think it should be
> > enabled in distributions.
> >
> > Please let me know.
> >
> > Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from
> source
> > now. Still audispd is not started now - what is the way / sequence to
> start
> > auditd and audispd - if you can point me to some reference or a startup
> > script will help.
>
> Since you installed in a non-standard location, you probably need to adjust
> paths in the config files.
>
> What I would recommend is not to build and install by hand, but to use
> their
> package manager to build a new package with listening enabled. The
> ./configure
> script takes a --disable-listener parameter. So, its probably as simple as
> deleting that in the source package and rebuilding.
>
> That said, I have no idea how to build a package on Debian or Ubuntu.
>
> -Steve
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20171004/b592e00f/attachment.htm>

More information about the Linux-audit mailing list