From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: audisp-remote and audisp-prelude question
Date: Tue, 24 Mar 2009 11:29:48 -0500
Message-ID: <1237912188.9480.258.camel@homeserver>
References: <200902271033.21486.sgrubb@redhat.com>
	<1235751224.7212.24.camel@homeserver>
	<200902271156.55861.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n2OGU8w0003669
	for <linux-audit@redhat.com>; Tue, 24 Mar 2009 12:30:08 -0400
Received: from mail.magitekltd.com (rrcs-24-242-137-197.sw.biz.rr.com
	[24.242.137.197])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n2OGTnD7032324
	for <linux-audit@redhat.com>; Tue, 24 Mar 2009 12:29:49 -0400
Received: from [24.242.137.194] (helo=[192.168.30.40])
	by mail.magitekltd.com with esmtpsa
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63)
	(envelope-from <lenny@magitekltd.com>) id 1Lm9VQ-0004Dq-5j
	for linux-audit@redhat.com; Tue, 24 Mar 2009 11:29:36 -0500
In-Reply-To: <200902271156.55861.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

I thought that we have :
    
(from another machine)
     audisp-remote 
          |
          v          (to collector)
kernel->auditd->audispd->audisp-prelude

and that I could pick off the prelude-bound events on the aggregated
data, but I don't get the events into the prelude DB.

For example, I see the client logins in the collector's log, so the
aggregation appears to be working.
Local logins on the collector machine do get sent to prelude, so the
audisp-prelude plugin is working.

However, logins on the remote machine which are sent to the collector
log do not make it into the prelude DB (at least prewikka doesn't show
them). I have no prewikka filters and I have the prewikka viewer set to
"1 day".

Any ideas? Using 1.7.12 audit rpms.

Here is a sample of "ausearch -ts today -i -m USER_LOGIN" on the
collector:
...
node=v157 type=USER_LOGIN msg=audit(03/24/2009 10:44:27.533:548759) :
user pid=11353 uid=root auid=root ses=328
subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='uid=root
exe=/usr/sbin/sshd (hostname=homeserver, addr=192.168.31.40,
terminal=/dev/pts/0 res=success)' 
----
node=audit type=USER_LOGIN msg=audit(03/24/2009 11:11:37.882:1412) :
user pid=3103 uid=root auid=root ses=54
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='uid=root
exe=/usr/sbin/sshd (hostname=192.168.31.40, addr=192.168.31.40,
terminal=/dev/pts/3 res=success)' 

On the prewikka screen I only see the second event.

Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com