* auditd.conf/audispd.conf question...
@ 2010-10-07 1:36 Jim Richard
2010-10-07 13:54 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Jim Richard @ 2010-10-07 1:36 UTC (permalink / raw)
To: linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 599 bytes --]
All:
I have a quick question about the name_format parameter in audispd.conf. When selecting options that require a dns lookup are these issued for each record, or is the dns lookup issued one-time at startup? If dns lookup is done for each record I'd prefer to use USER and NAME to force the issue, though if not I'd rather just use the same file on all my servers.
I want to log both locally and to a central server. So which file should this be specified in /etc/audit/auditd.conf or /etc/audisp/audispd.conf or both?
Thanks in advance for any suggestions.
Regards,
Jim Richard
[-- Attachment #1.2: Type: text/html, Size: 1158 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: auditd.conf/audispd.conf question...
2010-10-07 1:36 auditd.conf/audispd.conf question Jim Richard
@ 2010-10-07 13:54 ` Steve Grubb
2010-10-07 14:09 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2010-10-07 13:54 UTC (permalink / raw)
To: linux-audit; +Cc: Jim Richard
On Wednesday, October 06, 2010 09:36:18 pm Jim Richard wrote:
> I have a quick question about the name_format parameter in audispd.conf.
> When selecting options that require a dns lookup are these issued for each
> record, or is the dns lookup issued one-time at startup? If dns lookup is
> done for each record I'd prefer to use USER and NAME to force the issue,
> though if not I'd rather just use the same file on all my servers.
Its done at the beginning of the event loop so that it never needs to be
looked up again.
> I want to log both locally and to a central server. So which file should
> this be specified in /etc/audit/auditd.conf or /etc/audisp/audispd.conf or
> both?
Both. They are independent of each other.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: auditd.conf/audispd.conf question...
2010-10-07 13:54 ` Steve Grubb
@ 2010-10-07 14:09 ` Steve Grubb
0 siblings, 0 replies; 3+ messages in thread
From: Steve Grubb @ 2010-10-07 14:09 UTC (permalink / raw)
To: linux-audit; +Cc: Jim Richard
On Thursday, October 07, 2010 09:54:10 am Steve Grubb wrote:
> > I want to log both locally and to a central server. So which file should
> > this be specified in /etc/audit/auditd.conf or /etc/audisp/audispd.conf
> > or both?
>
> Both. They are independent of each other.
Let me clarify. If you want the node name in both places, then you need to put
it in both places. At a minimum, you would want it in audispd.conf so that the
central logger knows where things come from. But you can leave it off the
auditd.conf to save disk space unless you need it to match.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-10-07 14:09 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-10-07 1:36 auditd.conf/audispd.conf question Jim Richard
2010-10-07 13:54 ` Steve Grubb
2010-10-07 14:09 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox