From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tony Jones <tonyj@suse.de>
Subject: Re: Help with auditd.conf
Date: Tue, 29 Apr 2008 12:01:20 -0700
Message-ID: <20080429190120.GA5185@suse.de>
References: <Pine.GSO.4.64L.0804291422030.20775@no-knife.mit.edu>
	<48176B07.8050100@ll.mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m3TJ1XQ8007074
	for <linux-audit@redhat.com>; Tue, 29 Apr 2008 15:01:33 -0400
Received: from mx1.suse.de (mail.suse.de [195.135.220.2])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m3TJ1Lbs004055
	for <linux-audit@redhat.com>; Tue, 29 Apr 2008 15:01:21 -0400
Received: from Relay2.suse.de (relay-ext.suse.de [195.135.221.8])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.suse.de (Postfix) with ESMTP id 3E6FA40D35
	for <linux-audit@redhat.com>; Tue, 29 Apr 2008 21:01:16 +0200 (CEST)
Content-Disposition: inline
In-Reply-To: <48176B07.8050100@ll.mit.edu>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Scott Ehrlich wrote:
> Hello to all:
> I have Snare Agent and audit 1.5.2 running on a CentOS 5.0 box and a RHEL
> 5.0 server.  I ideally would like audit logs to be sent to both the
> system's local audit.log file and to a log server.  I reviewed the
> /etc/audit/auditd.conf file and tried to play with things and move things
> around, but an active watch of my log server's /var/log/syslog and local
> machine's audit.log does NOT show simultaneous activity, leading me to
> think it is either one way or the other, and that simultaneous local and
> remote logging is not possible.
> Is there a way to get both?
> Thanks.
> Scott

It's not possibly directly. The kernel will log to syslog if there is no
auditd running but normally, with auditd running it'll log to auditd but
what you are trying to achieve is the reason the displatcher (audispd) was
created. If you don't want to use one of the existing modules, you could
easily create your own which just relays to the local syslog.

Tony