From: LC Bruzenak <lenny@magitekltd.com>
To: DJ Delorie <dj@redhat.com>
Cc: linux-audit@redhat.com
Subject: audit collector connect fails
Date: Thu, 11 Sep 2008 17:00:41 -0500 [thread overview]
Message-ID: <1221170441.6559.85.camel@homeserver> (raw)
In-Reply-To: <1221148112.6559.24.camel@homeserver>
My sender fails to connect to my collector.
Is there any reason a MLS-policy F9 audisp-remote should be unable to
connect to a targeted-policy F9 auditd? I have no ipsec or anything else
involved...
I am looking for some hint as to why the connection is failing but I see
only this on the sender:
- lsof says I'm stuck on SYN_SENT
TCP comms:38827->192.168.30.120:tsdos390 (SYN_SENT)
- audit search on sender
ausearch -ts today -i -c audisp-remote:
...
----
type=SYSCALL msg=audit(09/11/2008 16:14:45.102:19013) : arch=x86_64
syscall=connect success=no exit=-110(Connection timed out) a0=3
a1=7f99ab0f20e0 a2=10 a3=7fffb289cf50 items=0 ppid=25435 pid=25436
auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=(none) ses=61 comm=audisp-remote
exe=/sbin/audisp-remote
subj=system_u:system_r:audisp_remote_t:s15:c0.c1023 key=(null)
Same audit versions on each (1.7.5-1).
On the sender, I can do a "newrole -l SystemHigh" and connect via
"telnet <collector> 1237", so I don't think it is the level giving me
any grief - sender is in permissive mode so there are AVCs but it should
work.
Eventually on the sender I get this:
Sep 11 16:57:12 comms audisp-remote: Error connecting to 192.168.30.120: Connection timed out - exiting
Sep 11 16:57:14 comms audispd: plugin /sbin/audisp-remote terminated unexpectedly
On the collector machine I see the listen socket open but I see no
denials in the messages log or the audit log.
Any suggestions?
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
next prev parent reply other threads:[~2008-09-11 22:00 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-09 18:26 audit collector startup help LC Bruzenak
2008-09-09 18:36 ` DJ Delorie
2008-09-09 18:47 ` LC Bruzenak
2008-09-09 19:25 ` DJ Delorie
2008-09-09 20:03 ` LC Bruzenak
2008-09-09 20:11 ` DJ Delorie
2008-09-09 21:52 ` LC Bruzenak
2008-09-09 21:55 ` LC Bruzenak
2008-09-09 22:07 ` DJ Delorie
2008-09-11 15:48 ` LC Bruzenak
2008-09-11 22:00 ` LC Bruzenak [this message]
2008-09-11 22:43 ` audit collector connect fails DJ Delorie
2008-09-11 22:53 ` LC Bruzenak
2008-09-12 16:50 ` audit collector startup help LC Bruzenak
2008-09-12 17:14 ` DJ Delorie
2008-09-12 17:48 ` LC Bruzenak
2008-09-12 18:45 ` DJ Delorie
2008-09-12 20:17 ` LC Bruzenak
2008-09-12 20:33 ` DJ Delorie
2008-09-12 23:41 ` LC Bruzenak
2008-09-13 0:04 ` DJ Delorie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1221170441.6559.85.camel@homeserver \
--to=lenny@magitekltd.com \
--cc=dj@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.