From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: Re: audit collector startup help
Date: Fri, 12 Sep 2008 18:41:03 -0500
Message-ID: <1221262863.6502.117.camel@homeserver>
References: <1220984797.6596.162.camel@homeserver>
	<200809091836.m89IatSW011688@greed.delorie.com>
	<1221238231.6502.22.camel@homeserver>
	<200809121714.m8CHE3Cl003572@greed.delorie.com>
	<1221241715.6502.62.camel@homeserver>
	<200809121845.m8CIjrXp005618@greed.delorie.com>
	<1221250678.6502.80.camel@homeserver>
	<200809122033.m8CKXIs2008495@greed.delorie.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200809122033.m8CKXIs2008495@greed.delorie.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: DJ Delorie <dj@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


On Fri, 2008-09-12 at 16:33 -0400, DJ Delorie wrote:
> > So any clue as to why I get a "bad magic number" on this version?
> 
> Nope.  It means the server sent back a header that was corrupt, or
> sent back something other than a header.
> 
> The header is defined in lib/private.h

After looking at this I had a hunch - the collector machine is 32-bit,
the sender 64-bit. 

I reverse the sender/collector and I don't get this error anymore.
The machine architecture is not representative of the intended final
deployment, just the available machines I was using to test.

So now the bad news is that I still do not see events passing from
sender to collector. This may be to an incorrect assumption on my part.
I assume that all events on the sender make it to the collector. Is this
true always? I send in a forced event (on the sender):

[root@fryspc audisp]#  auditctl -m TEST
[root@fryspc audisp]# ausearch -ts recent -i | grep TEST
type=USER msg=audit(09/12/2008 18:34:34.930:126) : user pid=4866 uid=root auid=root ses=11 subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 msg='TEST: exe=/sbin/auditctl (hostname=?, addr=?, terminal=pts/2 res=success)' 

But I cannot see this event on the collector.

The good news is that I see the connection on both ends (using port 1237=tsdos, lsof results):
collector:
auditd     9422      root   11u     IPv4              55889                 TCP comms:tsdos390->fryspc:55303 (ESTABLISHED)
collector:
sender:
audisp-re 4846      root    3u     IPv4      26741                  TCP fryspc:55303->192.168.31.142:tsdos390 (ESTABLISHED)


Should I see this event, and if so, do you have any idea as to why I do
not? I also have the same thing from another 64-bit sender.

Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com