From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: More info on remote logging Date: Tue, 18 May 2010 10:43:24 -0400 Message-ID: <201005181043.25004.sgrubb@redhat.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday 18 May 2010 10:27:32 am Konstantin Ryabitsev wrote: > I'm interested in sending audit logs to a central logging server. One > option is using the builtin syslog plugin for audisp, but I also see > audisp-remote that mentions sending logs to a remote server. > Unfortunately, I'm having trouble finding more information about that > (such as "what kind of a remote server" and "how do you set up a > remote server"). auditd is the remote server. Look at the auditd.conf man page starting at the tcp_listen_port entry to see what options you have available. One thing to note, I do not enable the kerberos support right now on any Red Hat or Fedora release. > Also a suggestion -- the syslog plugin for audisp doesn't specify the > facility, so the default facility (LOG_USER) is used. Perhaps this can > be made configurable so I could configure syslog to only send audit > logs to remote without duplicating them in /var/log/messages (e.g. set > facility to local9 and only send it to a remote server, not locally)? Sure. If you want to file a RFE bugzilla, please do. > Currently that's not possible and I end up wasting space by having > audit logs both in /var/log/audit/audit.log and in /var/log/messages. > Turning off af_unix is an option, but that has a significant drawback > of complicating ausearch/aureport. -Steve