From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: Re: audit collector startup help
Date: Fri, 12 Sep 2008 11:50:31 -0500
Message-ID: <1221238231.6502.22.camel@homeserver>
References: <1220984797.6596.162.camel@homeserver>
	<200809091836.m89IatSW011688@greed.delorie.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200809091836.m89IatSW011688@greed.delorie.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: DJ Delorie <dj@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tue, 2008-09-09 at 14:36 -0400, DJ Delorie wrote:
> > Is there a HOWTO for activating the 1.7.5 aggregating feature?
> 
> Just the man pages.
> 
> > I believe that the collector needs to uncomment the lines
> > in /etc/auditd/auditd.conf and the senders/clients need to set
> > active=yes, remote=<IP-address> in the  audisp-remote.conf file.
> 
> The collector needs the listener configured in /etc/audit/auditd.conf:
> 
> tcp_listen_port = 1237
> 
> The clients need the audisp-remote module enabled and configured:
> 
> /etc/audisp/plugins.d/au-remote.conf:
> active = yes
> 
> /etc/audisp/audisp-remote.conf:
> remote_server = 192.16.1.12   (your server's IP, not mine ;)
> port = 1237  (or use some other port, up to you)
> transport = tcp
> 
> Additional options:
> format = managed
> network_retry_time = 1
> max_tries_per_record = 10
> max_time_per_record = 7

DJ,

Thanks for the above. The network_retry_time (et. al.) must be in the
later version.

I have: audispd-plugins-1.7.5-1.fc9.x86_64 ; there is no mention of that
one in the man page and I get this message on startup:

Sep 12 11:43:48 comms audisp-remote: Unknown keyword "network_retry_time" in line 14 of /etc/audisp/audisp-remote.conf
Sep 12 11:43:48 comms auditd[4411]: Init complete, auditd 1.7.5 listening for events (startup state enable)
Sep 12 11:43:48 comms audispd: plugin /sbin/audisp-remote terminated unexpectedly

So I Removed the timing parameters.

Now I get this:
...
Sep 12 11:46:20 comms audisp-remote: lost/losing sync, bad magic number
Sep 12 11:46:20 comms audisp-remote: lost/losing sync, bad magic number
...


I do not see any errors in the message log on the collector.

Any ideas?

Thx again!
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com