From mboxrd@z Thu Jan  1 00:00:00 1970
From: DJ Delorie <dj@redhat.com>
Subject: Re: audit collector startup help
Date: Tue, 9 Sep 2008 14:36:55 -0400
Message-ID: <200809091836.m89IatSW011688@greed.delorie.com>
References: <1220984797.6596.162.camel@homeserver>
Return-path: <linux-audit-bounces@redhat.com>
In-reply-to: <1220984797.6596.162.camel@homeserver> (message from LC Bruzenak
	on Tue, 09 Sep 2008 13:26:37 -0500)
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: LC Bruzenak <lenny@magitekltd.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


> Is there a HOWTO for activating the 1.7.5 aggregating feature?

Just the man pages.

> I believe that the collector needs to uncomment the lines
> in /etc/auditd/auditd.conf and the senders/clients need to set
> active=yes, remote=<IP-address> in the  audisp-remote.conf file.

The collector needs the listener configured in /etc/audit/auditd.conf:

tcp_listen_port = 1237

The clients need the audisp-remote module enabled and configured:

/etc/audisp/plugins.d/au-remote.conf:
active = yes

/etc/audisp/audisp-remote.conf:
remote_server = 192.16.1.12   (your server's IP, not mine ;)
port = 1237  (or use some other port, up to you)
transport = tcp

Additional options:
format = managed
network_retry_time = 1
max_tries_per_record = 10
max_time_per_record = 7

You'll have to enable the connection through tcp_wrappers as well, if
you have that option enabled, as well as whatever firewall rules may
apply.

> However, my collector auditd fails on start;

Messages?