audispd stopping on distribute-network = yes
Lenny Bruzenak
lenny at magitekltd.com
Wed Oct 17 20:53:42 UTC 2018
On 10/16/2018 04:07 PM, Lenny Bruzenak wrote:
> Situation:
>
> Have 3 VMs all running RHEL7.6 (3.10.0-933.el7.x86_64) with audit
> components 2.8.4, including audisp-plugins. Using the audisp-remote
> plugin,
>
> Machine A -> B
>
> Machine B -> C
>
> Problem 1:
>
> If I enable "distribute_network = yes" on Machine B, audispd (and
> children) stops.
>
> No anom_abend, no message in syslog, no audit event I can identify as
> a clue.
>
>
> If I disable the distribute_network, the audispd and audisp-remote
> work fine.
Looks like, with preliminary testing, that maybe this problem is
restricted to the RAW data format.
I noticed that my machines were set to RAW; once changed to ENRICHED it
does work.
Since I plan on only using enriched, it really doesn't matter too much
to me. Raw settings but forwarding events probably doesn't make a lot of
sense anyway.
Thx,
LCB
--
Lenny Bruzenak
MagitekLTD
More information about the Linux-audit
mailing list