audisp-remote and audisp-prelude question

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: LC Bruzenak <lenny@magitekltd.com>
To: Linux Audit <linux-audit@redhat.com>
Subject: audisp-remote and audisp-prelude question
Date: Tue, 24 Mar 2009 11:29:48 -0500	[thread overview]
Message-ID: <1237912188.9480.258.camel@homeserver> (raw)
In-Reply-To: <200902271156.55861.sgrubb@redhat.com>

I thought that we have :

(from another machine)
     audisp-remote 
          |
          v          (to collector)
kernel->auditd->audispd->audisp-prelude

and that I could pick off the prelude-bound events on the aggregated
data, but I don't get the events into the prelude DB.

For example, I see the client logins in the collector's log, so the
aggregation appears to be working.
Local logins on the collector machine do get sent to prelude, so the
audisp-prelude plugin is working.

However, logins on the remote machine which are sent to the collector
log do not make it into the prelude DB (at least prewikka doesn't show
them). I have no prewikka filters and I have the prewikka viewer set to
"1 day".

Any ideas? Using 1.7.12 audit rpms.

Here is a sample of "ausearch -ts today -i -m USER_LOGIN" on the
collector:
...
node=v157 type=USER_LOGIN msg=audit(03/24/2009 10:44:27.533:548759) :
user pid=11353 uid=root auid=root ses=328
subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='uid=root
exe=/usr/sbin/sshd (hostname=homeserver, addr=192.168.31.40,
terminal=/dev/pts/0 res=success)' 
----
node=audit type=USER_LOGIN msg=audit(03/24/2009 11:11:37.882:1412) :
user pid=3103 uid=root auid=root ses=54
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='uid=root
exe=/usr/sbin/sshd (hostname=192.168.31.40, addr=192.168.31.40,
terminal=/dev/pts/3 res=success)' 

On the prewikka screen I only see the second event.

Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

next prev parent reply	other threads:[~2009-03-24 16:30 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-02-27 15:33 Near Term Audit Road Map Steve Grubb
2009-02-27 16:13 ` LC Bruzenak
2009-02-27 16:23   ` LC Bruzenak
2009-02-27 16:56   ` Steve Grubb
2009-03-24 16:29     ` LC Bruzenak [this message]
2009-03-24 16:41       ` audisp-remote and audisp-prelude question Steve Grubb
2009-03-24 16:55       ` Sebastien Tricaud
2009-03-24 17:30         ` LC Bruzenak
2009-03-24 17:06       ` Steve Grubb
2009-03-24 18:01         ` LC Bruzenak
2009-03-24 18:13           ` Steve Grubb
2009-02-27 20:59 ` Near Term Audit Road Map Matthew Booth

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1237912188.9480.258.camel@homeserver \
    --to=lenny@magitekltd.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox