From mboxrd@z Thu Jan  1 00:00:00 1970
From: DJ Delorie <dj@redhat.com>
Subject: Re: audit collector startup help
Date: Fri, 12 Sep 2008 20:04:41 -0400
Message-ID: <200809130004.m8D04f2S013401@greed.delorie.com>
References: <1220984797.6596.162.camel@homeserver>
	<200809091836.m89IatSW011688@greed.delorie.com>
	<1221238231.6502.22.camel@homeserver>
	<200809121714.m8CHE3Cl003572@greed.delorie.com>
	<1221241715.6502.62.camel@homeserver>
	<200809121845.m8CIjrXp005618@greed.delorie.com>
	<1221250678.6502.80.camel@homeserver>
	<200809122033.m8CKXIs2008495@greed.delorie.com>
	<1221262863.6502.117.camel@homeserver>
Return-path: <linux-audit-bounces@redhat.com>
In-reply-to: <1221262863.6502.117.camel@homeserver> (message from LC Bruzenak
	on Fri, 12 Sep 2008 18:41:03 -0500)
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: LC Bruzenak <lenny@magitekltd.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


> After looking at this I had a hunch - the collector machine is 32-bit,
> the sender 64-bit. 

And the magic number has the high bit set.  I wonder if there's a sign
extension in there somewhere?

Can you try between two 32 bit hosts?

> I assume that all events on the sender make it to the collector. Is this
> true always?

I didn't add any filters - anything that makes it to audisp-remote
eventually gets queued in the server's event queue.

> But I cannot see this event on the collector.

All remote messages will have "node=" in them somewhere.  Can you grep
for that manually in your server's audit logs?  I wonder if ausearch
is skipping them.