From: Steve Grubb <sgrubb@redhat.com>
To: Rituraj Buddhisagar <rituraj@vayana.com>
Cc: linux-audit@redhat.com
Subject: Re: Audisp-remote - connection refused.
Date: Mon, 02 Oct 2017 17:58:43 -0400 [thread overview]
Message-ID: <11869218.hX4XnSsCEN@x2> (raw)
In-Reply-To: <CAPHnQ1BFViHrfDiOYyLkgEKB14WE8Sqp_fSQ3hvCfK7TWh-AZA@mail.gmail.com>
On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote:
> Hi
>
> I tried my best to configure the audisp-remote.
> I am getting below error on the client machine in /var/log/syslog.
>
> Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7:
> Connection refused
On the server, what do you get for:
ausearch --start recent -m DAEMON_ACCEPT -i
The server side records some information about why it did not allow a
connection.
> 192.168.103.7 is the IP address of the central log server.
>
> Notes: My settings are below:
>
> on server as well on client:
> /etc/audisp/audisp-remote
>
> remote_server = 192.168.103.7
> port = 6999
> local_port = 6999
> transport = tcp
> queue_file = /var/spool/audit/remote.log
> mode = immediate
> queue_depth = 2048
> format = ascii
> network_retry_time = 100
This is probably not your problem but managed is the normal setting for
format. And do you have enable_krb5 set to no?
> I have enabled name_format=HOSTNAME only in one place (in
> /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf
>
> entries in auditd.conf:
>
> rtcp_listen_port = 6999
> tcp_listen_queue = 5
> tcp_max_per_addr = 10
> tcp_client_ports = 0-65535
> tcp_client_max_idle = 0
What do you have for use_libwrap and enable_krb5?
The ausearcn info from the aggregating server should tell the reason why the
connection is rejected.
-Steve
> I see the server is listening on the port 6999 as below but its not
> accepting client request.
> root@logs:/etc# lsof -i :6999
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> audisp-re 9091 root 3u IPv4 33671 0t0 TCP 192.168.103.7:6999->
> 192.168.103.7:6999 (ESTABLISHED)
>
>
>
> Best Regards,
> Rituraj B
next prev parent reply other threads:[~2017-10-02 21:58 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-02 18:55 Audisp-remote - connection refused Rituraj Buddhisagar
2017-10-02 19:51 ` Rituraj Buddhisagar
2017-10-02 21:58 ` Steve Grubb [this message]
2017-10-03 3:31 ` Rituraj Buddhisagar
2017-10-03 12:44 ` Steve Grubb
2017-10-03 12:52 ` Rituraj Buddhisagar
2017-10-03 12:58 ` Rituraj Buddhisagar
2017-10-03 15:08 ` Steve Grubb
2017-10-03 18:40 ` Rituraj Buddhisagar
2017-10-03 19:08 ` Rituraj Buddhisagar
2017-10-03 20:00 ` Rituraj Buddhisagar
2017-10-03 20:22 ` Steve Grubb
2017-10-04 14:01 ` Rituraj Buddhisagar
2017-10-04 15:19 ` Steve Grubb
2017-10-04 16:02 ` Rituraj Buddhisagar
2017-10-04 16:28 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=11869218.hX4XnSsCEN@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=rituraj@vayana.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox