From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: Re: [PATCH] Add auditd listener and remote audit protocol
Date: Tue, 29 Sep 2009 14:14:05 -0500
Message-ID: <1254251645.9900.23.camel@lcb>
References: <200808142143.m7ELh0MP028560@greed.delorie.com>
	<200808142007.02746.sgrubb@redhat.com>
	<1218759744.7022.272.camel@homeserver>
	<200808142027.40811.sgrubb@redhat.com>
	<1218760295.7022.277.camel@homeserver> <1254246768.9900.14.camel@lcb>
	<4AC25718.1050801@conceras.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <4AC25718.1050801@conceras.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Norman Mark St. Laurent" <mstlaurent@conceras.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tue, 2009-09-29 at 14:51 -0400, Norman Mark St. Laurent wrote:
> Hi LCB,
> 
> I hope I answer u correctly...
> 
> I would look in your /etc/audisp/audisp-remote.conf file and note the 
> port you communicate on, as an alternate you can grab the port with 
> "lsof -i -nP" or "netstat -taupe".  Then you can use tcpdump to watch 
> the connections.
> 
> #tcpdump -i eth0 port 1001     -->  or what ever port you have setup to 
> the remote data on and the correct nic.
> 
> Sounds like this could help u out.
> 
> Norman Mark St. Laurent
> Conceras | Chief Technology Officer and ISSE
> Phone:  703-965-4892
> Email:  mstlaurent@conceras.com
> Web:  http://www.conceras.com
> 
> Connect. Collaborate. Conceras.
> 
> 
> 
> LC Bruzenak wrote:
> > On Thu, 2008-08-14 at 19:31 -0500, LC Bruzenak wrote:
> >   
> >> On Thu, 2008-08-14 at 20:27 -0400, Steve Grubb wrote:
> >>     
> >>> On Thursday 14 August 2008 20:22:24 LC Bruzenak wrote:
> >>>       
> >>>> I think you have a good point - this is the first cut and maybe
> >>>>         
> >> later on
> >>     
> >>>> institute a "replay daemon" or something which can send events on
> >>>> reconnect.
> >>>>         
> >>> Note that all audispd plugins take their input from stdin. At the
> >>>       
> >> worst, if 
> >>     
> >>> you had the time hacks, you could 
> >>>
> >>> ausearch --start <time> --end <time> --raw | /sbin.audisp-remote
> >>>
> >>> -Steve
> >>>       
> >
> > Steve,
> >
> > I have been doing this but I really cannot tell if the audisp-remote
> > connection succeeds; it returns "0" either way.
> > Would there be an easy way to return a non-zero failure indicator?
> >
> > Thx,
> > LCB.
> >

Norman,

Thank for the reply but I wasn't quite clear enough.
The context of this is within a recovery script, so I'm concerned that I
can get the return value of the audisp-remote within the script to
decide if the recovery was successful or if it failed.

I don't think that was clear above; my apologies since the conversation
I referenced was > 1 year old.

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com