From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: Re: audisp-prelude problems
Date: Wed, 03 Dec 2008 10:38:45 -0600
Message-ID: <1228322325.14768.110.camel@homeserver>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id mB3Gd3Iu007552
	for <linux-audit@redhat.com>; Wed, 3 Dec 2008 11:39:03 -0500
Received: from mail.magitekltd.com (rrcs-24-242-137-197.sw.biz.rr.com
	[24.242.137.197])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id mB3GcnGE017682
	for <linux-audit@redhat.com>; Wed, 3 Dec 2008 11:38:50 -0500
Received: from [24.242.137.194] (helo=[192.168.30.40])
	by mail.magitekltd.com with esmtpsa
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63)
	(envelope-from <lenny@magitekltd.com>) id 1L7uiu-000656-9A
	for linux-audit@redhat.com; Wed, 03 Dec 2008 10:37:12 -0600
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Wed, 2008-12-03 at 17:28 +0200, Loredan Stancu wrote:

> 
> I know how to activate the audisp-plugin, what I asked is how can I use it.
> 
> What I need is an example of an application which can stay on the remote
> host, listen for incoming events send by audisp-remote plugin and store
> these events in a regular file.

OK.
That's what the auditd does if the remote host is also SElinux.

So - next questions:

* Is the remote host not a SElinux machine? You'd need to emulate the
protocol on the receive side. 

* If it is a SElinux machine (F9/F10/other?), do you want the
originating events in a different place than the default? Like separated
by sending host instead of lumped together with the other audit?

If the latter is the case, there are ways of doing this now depending on
your intent. 

Also this is an area Steve has discussed may be open for modification.
The auditd on the aggregating side may be able to separate data based on
other criteria per user feedback.

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com