From: LC Bruzenak <lenny@magitekltd.com>
To: DJ Delorie <dj@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: audit collector startup help
Date: Fri, 12 Sep 2008 18:41:03 -0500 [thread overview]
Message-ID: <1221262863.6502.117.camel@homeserver> (raw)
In-Reply-To: <200809122033.m8CKXIs2008495@greed.delorie.com>
On Fri, 2008-09-12 at 16:33 -0400, DJ Delorie wrote:
> > So any clue as to why I get a "bad magic number" on this version?
>
> Nope. It means the server sent back a header that was corrupt, or
> sent back something other than a header.
>
> The header is defined in lib/private.h
After looking at this I had a hunch - the collector machine is 32-bit,
the sender 64-bit.
I reverse the sender/collector and I don't get this error anymore.
The machine architecture is not representative of the intended final
deployment, just the available machines I was using to test.
So now the bad news is that I still do not see events passing from
sender to collector. This may be to an incorrect assumption on my part.
I assume that all events on the sender make it to the collector. Is this
true always? I send in a forced event (on the sender):
[root@fryspc audisp]# auditctl -m TEST
[root@fryspc audisp]# ausearch -ts recent -i | grep TEST
type=USER msg=audit(09/12/2008 18:34:34.930:126) : user pid=4866 uid=root auid=root ses=11 subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 msg='TEST: exe=/sbin/auditctl (hostname=?, addr=?, terminal=pts/2 res=success)'
But I cannot see this event on the collector.
The good news is that I see the connection on both ends (using port 1237=tsdos, lsof results):
collector:
auditd 9422 root 11u IPv4 55889 TCP comms:tsdos390->fryspc:55303 (ESTABLISHED)
collector:
sender:
audisp-re 4846 root 3u IPv4 26741 TCP fryspc:55303->192.168.31.142:tsdos390 (ESTABLISHED)
Should I see this event, and if so, do you have any idea as to why I do
not? I also have the same thing from another 64-bit sender.
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
next prev parent reply other threads:[~2008-09-12 23:41 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-09 18:26 audit collector startup help LC Bruzenak
2008-09-09 18:36 ` DJ Delorie
2008-09-09 18:47 ` LC Bruzenak
2008-09-09 19:25 ` DJ Delorie
2008-09-09 20:03 ` LC Bruzenak
2008-09-09 20:11 ` DJ Delorie
2008-09-09 21:52 ` LC Bruzenak
2008-09-09 21:55 ` LC Bruzenak
2008-09-09 22:07 ` DJ Delorie
2008-09-11 15:48 ` LC Bruzenak
2008-09-11 22:00 ` audit collector connect fails LC Bruzenak
2008-09-11 22:43 ` DJ Delorie
2008-09-11 22:53 ` LC Bruzenak
2008-09-12 16:50 ` audit collector startup help LC Bruzenak
2008-09-12 17:14 ` DJ Delorie
2008-09-12 17:48 ` LC Bruzenak
2008-09-12 18:45 ` DJ Delorie
2008-09-12 20:17 ` LC Bruzenak
2008-09-12 20:33 ` DJ Delorie
2008-09-12 23:41 ` LC Bruzenak [this message]
2008-09-13 0:04 ` DJ Delorie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1221262863.6502.117.camel@homeserver \
--to=lenny@magitekltd.com \
--cc=dj@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.