Audisp-remote - connection refused.

Audisp-remote - connection refused.

[Rituraj Buddhisagar]

[-- Attachment #1.1: Type: text/plain, Size: 1137 bytes --]

Hi

I tried my best to configure the audisp-remote.
I am getting below error on the client machine in /var/log/syslog.

Oct  2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7:
Connection refused


192.168.103.7 is the IP address of the central log server.

Notes: My settings are below:

on server as well on client:
/etc/audisp/audisp-remote

remote_server = 192.168.103.7
port = 6999
local_port = 6999
transport = tcp
queue_file = /var/spool/audit/remote.log
mode = immediate
queue_depth = 2048
format = ascii
network_retry_time = 100


I have enabled name_format=HOSTNAME only in one place (in
/etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf

entries in auditd.conf:

rtcp_listen_port = 6999
tcp_listen_queue = 5
tcp_max_per_addr = 10
tcp_client_ports = 0-65535
tcp_client_max_idle = 0


I see the server is listening on the port 6999 as below but its not
accepting client request.
root@logs:/etc# lsof -i :6999
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
audisp-re 9091 root    3u  IPv4  33671      0t0  TCP 192.168.103.7:6999->
192.168.103.7:6999 (ESTABLISHED)



Best Regards,
Rituraj B

[-- Attachment #1.2: Type: text/html, Size: 5536 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Audisp-remote - connection refused.

[Rituraj Buddhisagar]

[-- Attachment #1.1: Type: text/plain, Size: 1688 bytes --]

Additional info:

I doubt that the daemon is only listening on localhost and not accepting
remote.

# lsof -i :6999
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
audisp-re 9624 root    3u  IPv4  37642      0t0  TCP 192.168.103.7:6999->
192.168.103.7:6999 (ESTABLISHED)


Btw, no iptables is running on the host. Also no tcpwrappers.

Regards

Best Regards,
Rituraj B


On Tue, Oct 3, 2017 at 12:25 AM, Rituraj Buddhisagar <rituraj@vayana.com>
wrote:

> Hi
>
> I tried my best to configure the audisp-remote.
> I am getting below error on the client machine in /var/log/syslog.
>
> Oct  2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7:
> Connection refused
>
>
> 192.168.103.7 is the IP address of the central log server.
>
> Notes: My settings are below:
>
> on server as well on client:
> /etc/audisp/audisp-remote
>
> remote_server = 192.168.103.7
> port = 6999
> local_port = 6999
> transport = tcp
> queue_file = /var/spool/audit/remote.log
> mode = immediate
> queue_depth = 2048
> format = ascii
> network_retry_time = 100
>
>
> I have enabled name_format=HOSTNAME only in one place (in
> /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf
>
> entries in auditd.conf:
>
> rtcp_listen_port = 6999
> tcp_listen_queue = 5
> tcp_max_per_addr = 10
> tcp_client_ports = 0-65535
> tcp_client_max_idle = 0
>
>
> I see the server is listening on the port 6999 as below but its not
> accepting client request.
> root@logs:/etc# lsof -i :6999
> COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> audisp-re 9091 root    3u  IPv4  33671      0t0  TCP 192.168.103.7:6999->
> 192.168.103.7:6999 (ESTABLISHED)
>
>
>
> Best Regards,
> Rituraj B
>
>

[-- Attachment #1.2: Type: text/html, Size: 7845 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Audisp-remote - connection refused.

[Steve Grubb]

On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote:
> Hi
> 
> I tried my best to configure the audisp-remote.
> I am getting below error on the client machine in /var/log/syslog.
> 
> Oct  2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7:
> Connection refused


On the server, what do you get for:

ausearch --start recent -m DAEMON_ACCEPT -i

The server side records some information about why it did not allow a 
connection.

> 192.168.103.7 is the IP address of the central log server.
> 
> Notes: My settings are below:
> 
> on server as well on client:
> /etc/audisp/audisp-remote
> 
> remote_server = 192.168.103.7
> port = 6999
> local_port = 6999
> transport = tcp
> queue_file = /var/spool/audit/remote.log
> mode = immediate
> queue_depth = 2048
> format = ascii
> network_retry_time = 100

This is probably not your problem but managed is the normal setting for 
format. And do you have enable_krb5 set to no?

> I have enabled name_format=HOSTNAME only in one place (in
> /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf
> 
> entries in auditd.conf:
> 
> rtcp_listen_port = 6999
> tcp_listen_queue = 5
> tcp_max_per_addr = 10
> tcp_client_ports = 0-65535
> tcp_client_max_idle = 0

What do you have for use_libwrap and enable_krb5? 

The ausearcn info from the aggregating server should tell the reason why the 
connection is rejected.

-Steve

> I see the server is listening on the port 6999 as below but its not
> accepting client request.
> root@logs:/etc# lsof -i :6999
> COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> audisp-re 9091 root    3u  IPv4  33671      0t0  TCP 192.168.103.7:6999->
> 192.168.103.7:6999 (ESTABLISHED)
> 
> 
> 
> Best Regards,
> Rituraj B

Re: Audisp-remote - connection refused.

[Rituraj Buddhisagar]

[-- Attachment #1.1: Type: text/plain, Size: 3658 bytes --]

P
​lease see inline-

regards
​

On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote:
> > Hi
> >
> > I tried my best to configure the audisp-remote.
> > I am getting below error on the client machine in /var/log/syslog.
> >
> > Oct  2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7:
> > Connection refused
>
>
> On the server, what do you get for:
>
> ausearch --start recent -m DAEMON_ACCEPT -i
>
> The server side records some information about why it did not allow a
> connection.
>
>
​I dont see any info in here.

# ausearch --start recent -m DAEMON_ACCEPT -i
<no matches>

I tried without --start & -i options as well.

But when I do a tcpdump on central server, I do see requests coming in. (I
changed port to 60).
# tcpdump -i eth1 '( port 60 )'
08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076269451,
win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
length 0
08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
4076269452, win 0, length 0
08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076287474,
win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
length 0
08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
18024, win 0, length 0
08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076300652,
win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
length 0
08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
31202, win 0, length 0
08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076306151,
win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
length 0

I think the service is only listening locally and not for remote
connections?
root@logs:/etc/audit# lsof -i :60
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
audisp-re 1713 root    3u  IPv4  17433      0t0  TCP 192.168.103.7:60->
192.168.103.7:60 (ESTABLISHED)


How do I see that I am using libwrap? I have enable_krb5=no in the
auditd.conf on the aggregative server.


​

> > 192.168.103.7 is the IP address of the central log server.
> >
> > Notes: My settings are below:
> >
> > on server as well on client:
> > /etc/audisp/audisp-remote
> >
> > remote_server = 192.168.103.7
> > port = 6999
> > local_port = 6999
> > transport = tcp
> > queue_file = /var/spool/audit/remote.log
> > mode = immediate
> > queue_depth = 2048
> > format = ascii
> > network_retry_time = 100
>
> This is probably not your problem but managed is the normal setting for
> format. And do you have enable_krb5 set to no?
>
> > I have enabled name_format=HOSTNAME only in one place (in
> > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf
> >
> > entries in auditd.conf:
> >
> > rtcp_listen_port = 6999
> > tcp_listen_queue = 5
> > tcp_max_per_addr = 10
> > tcp_client_ports = 0-65535
> > tcp_client_max_idle = 0
>
> What do you have for use_libwrap and enable_krb5?
>
> The ausearcn info from the aggregating server should tell the reason why
> the
> connection is rejected.
>
> -Steve
>
> > I see the server is listening on the port 6999 as below but its not
> > accepting client request.
> > root@logs:/etc# lsof -i :6999
> > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> > audisp-re 9091 root    3u  IPv4  33671      0t0  TCP 192.168.103.7:6999
> ->
> > 192.168.103.7:6999 (ESTABLISHED)
> >
> >
> >
> > Best Regards,
> > Rituraj B
>
>
>

[-- Attachment #1.2: Type: text/html, Size: 8320 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Audisp-remote - connection refused.

[Steve Grubb]

On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote:
> P
> ​lease see inline-
> 
> regards
> ​
> 
> On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote:
> > > Hi
> > > 
> > > I tried my best to configure the audisp-remote.
> > > I am getting below error on the client machine in /var/log/syslog.
> > > 
> > > Oct  2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7:
> > > Connection refused
> > 
> > On the server, what do you get for:
> > 
> > ausearch --start recent -m DAEMON_ACCEPT -i
> > 
> > The server side records some information about why it did not allow a
> > connection.
> 
> ​I dont see any info in here.
> 
> # ausearch --start recent -m DAEMON_ACCEPT -i
> <no matches>

Then its not connecting at all. Maybe your firewall is blocking it. Maybe 
selinux is blocking it? Once auditd sees its socket is readable, it calls 
accept(2) and there is no path through the code that doesn't log an event with 
a reason. Every possible failure logs a distinct reason why the connection 
failed.


> I tried without --start & -i options as well.

--start today if you didn't connect within 10 minutes of running the command.
 

> But when I do a tcpdump on central server, I do see requests coming in. (I
> changed port to 60).
> # tcpdump -i eth1 '( port 60 )'
> 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076269451,
> win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
> length 0
> 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
> 4076269452, win 0, length 0
> 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076287474,
> win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
> length 0
> 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
> 18024, win 0, length 0
> 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076300652,
> win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
> length 0
> 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
> 31202, win 0, length 0
> 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076306151,
> win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
> length 0
> 
> I think the service is only listening locally and not for remote
> connections?

It opens a socket on all addresses.
# netstat -tanp | grep auditd
tcp        0      0 0.0.0.0:60              0.0.0.0:*               LISTEN      
893/auditd

> root@logs:/etc/audit# lsof -i :60
> COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> audisp-re 1713 root    3u  IPv4  17433      0t0  TCP 192.168.103.7:60->
> 192.168.103.7:60 (ESTABLISHED)
> 
> 
> How do I see that I am using libwrap?

It should have a config line in auditd.conf. If you do not, it defaults to 
yes. That means it looks in /etc/hosts.allow and hosts.deny to decide. Odds 
are you put nothing there and the connection proceeds. If I were to guess, I'd 
say iptables is blocking your connection.

> I have enable_krb5=no in the
> auditd.conf on the aggregative server.

Good. Cause doing a krb5 connection without setting that up will cause it to 
fail also. I'd bet on iptables being the problem.

-Steve


> > > 192.168.103.7 is the IP address of the central log server.
> > > 
> > > Notes: My settings are below:
> > > 
> > > on server as well on client:
> > > /etc/audisp/audisp-remote
> > > 
> > > remote_server = 192.168.103.7
> > > port = 6999
> > > local_port = 6999
> > > transport = tcp
> > > queue_file = /var/spool/audit/remote.log
> > > mode = immediate
> > > queue_depth = 2048
> > > format = ascii
> > > network_retry_time = 100
> > 
> > This is probably not your problem but managed is the normal setting for
> > format. And do you have enable_krb5 set to no?
> > 
> > > I have enabled name_format=HOSTNAME only in one place (in
> > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf
> > > 
> > > entries in auditd.conf:
> > > 
> > > rtcp_listen_port = 6999
> > > tcp_listen_queue = 5
> > > tcp_max_per_addr = 10
> > > tcp_client_ports = 0-65535
> > > tcp_client_max_idle = 0
> > 
> > What do you have for use_libwrap and enable_krb5?
> > 
> > The ausearcn info from the aggregating server should tell the reason why
> > the
> > connection is rejected.
> > 
> > -Steve
> > 
> > > I see the server is listening on the port 6999 as below but its not
> > > accepting client request.
> > > root@logs:/etc# lsof -i :6999
> > > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> > > audisp-re 9091 root    3u  IPv4  33671      0t0  TCP 192.168.103.7:6999
> > 
> > ->
> > 
> > > 192.168.103.7:6999 (ESTABLISHED)
> > > 
> > > 
> > > 
> > > Best Regards,
> > > Rituraj B



--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: Audisp-remote - connection refused.

[Rituraj Buddhisagar]

[-- Attachment #1.1: Type: text/plain, Size: 7599 bytes --]

Hi Steve,

I did check IPtables and I am not having any rules in there. I have allowed
the connections in /etc/hosts.allow. But then I do not see auditd listening
on port 60.
It just shows "ESSTABLISHED" connection on the aggregating server - which
is itself!

root@guslogs:/etc/audit# lsof -i :60
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
audisp-re 2146 root    3u  IPv4  20368      0t0  TCP 192.168.103.7:60->
192.168.103.7:60 (ESTABLISHED)
root@guslogs:/etc/audit#
root@guslogs:/etc/audit# netstat -pan | grep 60
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
     1260/sshd
tcp    10491   1360 192.168.103.7:60        192.168.103.7:60
 ESTABLISHED 2146/audisp-remote
tcp6       0      0 :::22                   :::*                    LISTEN
     1260/sshd
unix  2      [ ACC ]     STREAM     LISTENING     16055    1925/0
   /tmp/ssh-h0brbTMA4a/agent.1925
unix  3      [ ]         STREAM     CONNECTED     13777    1260/sshd

unix  2      [ ]         DGRAM                    17760    1897/systemd

unix  3      [ ]         STREAM     CONNECTED     16036    1897/systemd

unix  2      [ ]         DGRAM                    20360    2136/auditd

unix  3      [ ]         STREAM     CONNECTED     13260    1/init
   /run/systemd/journal/stdout
root@guslogs:/etc/audit#
root@guslogs:/etc/audit# netstat -tanp | grep auditd
root@guslogs:/etc/audit#
root@guslogs:/etc/audit# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@guslogs:/etc/audit#
root@guslogs:/etc/audit# cat /etc/hosts.allow
# /etc/hosts.allow: list of hosts that are allowed to access the system.
#                   See the manual pages hosts_access(5) and
hosts_options(5).
#
# Example:    ALL: LOCAL @some_netgroup
#             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#

ALL: ALL
root@guslogs:/etc/audit#


Best Regards,
Rituraj B


On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote:
> > P
> > ​lease see inline-
> >
> > regards
> > ​
> >
> > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote:
> > > > Hi
> > > >
> > > > I tried my best to configure the audisp-remote.
> > > > I am getting below error on the client machine in /var/log/syslog.
> > > >
> > > > Oct  2 14:41:15 xxxxxx audisp-remote: Error connecting to
> 192.168.103.7:
> > > > Connection refused
> > >
> > > On the server, what do you get for:
> > >
> > > ausearch --start recent -m DAEMON_ACCEPT -i
> > >
> > > The server side records some information about why it did not allow a
> > > connection.
> >
> > ​I dont see any info in here.
> >
> > # ausearch --start recent -m DAEMON_ACCEPT -i
> > <no matches>
>
> Then its not connecting at all. Maybe your firewall is blocking it. Maybe
> selinux is blocking it? Once auditd sees its socket is readable, it calls
> accept(2) and there is no path through the code that doesn't log an event
> with
> a reason. Every possible failure logs a distinct reason why the connection
> failed.
>
>
> > I tried without --start & -i options as well.
>
> --start today if you didn't connect within 10 minutes of running the
> command.
>
>
> > But when I do a tcpdump on central server, I do see requests coming in.
> (I
> > changed port to 60).
> > # tcpdump -i eth1 '( port 60 )'
> > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
> 4076269451,
> > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
> > length 0
> > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
> > 4076269452, win 0, length 0
> > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
> 4076287474,
> > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
> > length 0
> > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
> > 18024, win 0, length 0
> > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
> 4076300652,
> > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
> > length 0
> > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
> > 31202, win 0, length 0
> > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
> 4076306151,
> > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
> > length 0
> >
> > I think the service is only listening locally and not for remote
> > connections?
>
> It opens a socket on all addresses.
> # netstat -tanp | grep auditd
> tcp        0      0 0.0.0.0:60              0.0.0.0:*               LISTEN
> 893/auditd
>
> > root@logs:/etc/audit# lsof -i :60
> > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> > audisp-re 1713 root    3u  IPv4  17433      0t0  TCP 192.168.103.7:60->
> > 192.168.103.7:60 (ESTABLISHED)
> >
> >
> > How do I see that I am using libwrap?
>
> It should have a config line in auditd.conf. If you do not, it defaults to
> yes. That means it looks in /etc/hosts.allow and hosts.deny to decide. Odds
> are you put nothing there and the connection proceeds. If I were to guess,
> I'd
> say iptables is blocking your connection.
>
> > I have enable_krb5=no in the
> > auditd.conf on the aggregative server.
>
> Good. Cause doing a krb5 connection without setting that up will cause it
> to
> fail also. I'd bet on iptables being the problem.
>
> -Steve
>
>
> > > > 192.168.103.7 is the IP address of the central log server.
> > > >
> > > > Notes: My settings are below:
> > > >
> > > > on server as well on client:
> > > > /etc/audisp/audisp-remote
> > > >
> > > > remote_server = 192.168.103.7
> > > > port = 6999
> > > > local_port = 6999
> > > > transport = tcp
> > > > queue_file = /var/spool/audit/remote.log
> > > > mode = immediate
> > > > queue_depth = 2048
> > > > format = ascii
> > > > network_retry_time = 100
> > >
> > > This is probably not your problem but managed is the normal setting for
> > > format. And do you have enable_krb5 set to no?
> > >
> > > > I have enabled name_format=HOSTNAME only in one place (in
> > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf
> > > >
> > > > entries in auditd.conf:
> > > >
> > > > rtcp_listen_port = 6999
> > > > tcp_listen_queue = 5
> > > > tcp_max_per_addr = 10
> > > > tcp_client_ports = 0-65535
> > > > tcp_client_max_idle = 0
> > >
> > > What do you have for use_libwrap and enable_krb5?
> > >
> > > The ausearcn info from the aggregating server should tell the reason
> why
> > > the
> > > connection is rejected.
> > >
> > > -Steve
> > >
> > > > I see the server is listening on the port 6999 as below but its not
> > > > accepting client request.
> > > > root@logs:/etc# lsof -i :6999
> > > > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> > > > audisp-re 9091 root    3u  IPv4  33671      0t0  TCP
> 192.168.103.7:6999
> > >
> > > ->
> > >
> > > > 192.168.103.7:6999 (ESTABLISHED)
> > > >
> > > >
> > > >
> > > > Best Regards,
> > > > Rituraj B
>
>
>

[-- Attachment #1.2: Type: text/html, Size: 15273 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Audisp-remote - connection refused.

[Rituraj Buddhisagar]

[-- Attachment #1.1: Type: text/plain, Size: 9884 bytes --]

Steve,  I should have attached my config in previous mail:

Here is the config on the aggregating server. (I see tcp_listen_port in
auditd.conf and then there is mention of local port & port in
audisp-remote.conf as well)
I do not see auditd listening on port 60 as per my previous mail. (netstat
output)

root@guslogs:/etc/audit# cat auditd.conf
#
# This file controls the configuration of the audit daemon
#

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 10
tcp_client_ports = 0-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
use_libwrap = no
##krb5_key_file = /etc/audit/audit.key
root@guslogs:/etc/audit# cat ../audisp/audisp-remote.conf
#
# This file controls the configuration of the audit remote
# logging subsystem, audisp-remote.
#

remote_server = 192.168.103.7
port = 60
local_port = 60
transport = tcp
queue_file = /var/spool/audit/remote.log
mode = immediate
queue_depth = 2048
format = ascii
network_retry_time = 100
max_tries_per_record = 3
max_time_per_record = 5
heartbeat_timeout = 0

network_failure_action = stop
disk_low_action = ignore
disk_full_action = ignore
disk_error_action = syslog
remote_ending_action = reconnect
generic_error_action = syslog
generic_warning_action = syslog
overflow_action = syslog
##enable_krb5 = no
##krb5_principal =
##krb5_client_name = auditd
##krb5_key_file = /etc/audisp/audisp-remote.key


Best Regards,
Rituraj B


On Tue, Oct 3, 2017 at 6:22 PM, Rituraj Buddhisagar <rituraj@vayana.com>
wrote:

> Hi Steve,
>
> I did check IPtables and I am not having any rules in there. I have
> allowed the connections in /etc/hosts.allow. But then I do not see auditd
> listening on port 60.
> It just shows "ESSTABLISHED" connection on the aggregating server - which
> is itself!
>
> root@guslogs:/etc/audit# lsof -i :60
> COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> audisp-re 2146 root    3u  IPv4  20368      0t0  TCP 192.168.103.7:60->
> 192.168.103.7:60 (ESTABLISHED)
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# netstat -pan | grep 60
> tcp        0      0 0.0.0.0:22              0.0.0.0:*
> LISTEN      1260/sshd
> tcp    10491   1360 192.168.103.7:60        192.168.103.7:60
>  ESTABLISHED 2146/audisp-remote
> tcp6       0      0 :::22                   :::*                    LISTEN
>      1260/sshd
> unix  2      [ ACC ]     STREAM     LISTENING     16055    1925/0
>      /tmp/ssh-h0brbTMA4a/agent.1925
> unix  3      [ ]         STREAM     CONNECTED     13777    1260/sshd
>
> unix  2      [ ]         DGRAM                    17760    1897/systemd
>
> unix  3      [ ]         STREAM     CONNECTED     16036    1897/systemd
>
> unix  2      [ ]         DGRAM                    20360    2136/auditd
>
> unix  3      [ ]         STREAM     CONNECTED     13260    1/init
>      /run/systemd/journal/stdout
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# netstat -tanp | grep auditd
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# cat /etc/hosts.allow
> # /etc/hosts.allow: list of hosts that are allowed to access the system.
> #                   See the manual pages hosts_access(5) and
> hosts_options(5).
> #
> # Example:    ALL: LOCAL @some_netgroup
> #             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
> #
> # If you're going to protect the portmapper use the name "rpcbind" for the
> # daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
> #
>
> ALL: ALL
> root@guslogs:/etc/audit#
>
>
> Best Regards,
> Rituraj B
>
>
> On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
>> On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote:
>> > P
>> > ​lease see inline-
>> >
>> > regards
>> > ​
>> >
>> > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com> wrote:
>> > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote:
>> > > > Hi
>> > > >
>> > > > I tried my best to configure the audisp-remote.
>> > > > I am getting below error on the client machine in /var/log/syslog.
>> > > >
>> > > > Oct  2 14:41:15 xxxxxx audisp-remote: Error connecting to
>> 192.168.103.7:
>> > > > Connection refused
>> > >
>> > > On the server, what do you get for:
>> > >
>> > > ausearch --start recent -m DAEMON_ACCEPT -i
>> > >
>> > > The server side records some information about why it did not allow a
>> > > connection.
>> >
>> > ​I dont see any info in here.
>> >
>> > # ausearch --start recent -m DAEMON_ACCEPT -i
>> > <no matches>
>>
>> Then its not connecting at all. Maybe your firewall is blocking it. Maybe
>> selinux is blocking it? Once auditd sees its socket is readable, it calls
>> accept(2) and there is no path through the code that doesn't log an event
>> with
>> a reason. Every possible failure logs a distinct reason why the connection
>> failed.
>>
>>
>> > I tried without --start & -i options as well.
>>
>> --start today if you didn't connect within 10 minutes of running the
>> command.
>>
>>
>> > But when I do a tcpdump on central server, I do see requests coming in.
>> (I
>> > changed port to 60).
>> > # tcpdump -i eth1 '( port 60 )'
>> > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
>> 4076269451,
>> > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
>> > length 0
>> > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
>> > 4076269452, win 0, length 0
>> > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
>> 4076287474,
>> > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
>> > length 0
>> > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
>> > 18024, win 0, length 0
>> > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
>> 4076300652,
>> > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
>> > length 0
>> > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
>> > 31202, win 0, length 0
>> > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
>> 4076306151,
>> > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
>> > length 0
>> >
>> > I think the service is only listening locally and not for remote
>> > connections?
>>
>> It opens a socket on all addresses.
>> # netstat -tanp | grep auditd
>> tcp        0      0 0.0.0.0:60              0.0.0.0:*
>>  LISTEN
>> 893/auditd
>>
>> > root@logs:/etc/audit# lsof -i :60
>> > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
>> > audisp-re 1713 root    3u  IPv4  17433      0t0  TCP 192.168.103.7:60->
>> > 192.168.103.7:60 (ESTABLISHED)
>> >
>> >
>> > How do I see that I am using libwrap?
>>
>> It should have a config line in auditd.conf. If you do not, it defaults to
>> yes. That means it looks in /etc/hosts.allow and hosts.deny to decide.
>> Odds
>> are you put nothing there and the connection proceeds. If I were to
>> guess, I'd
>> say iptables is blocking your connection.
>>
>> > I have enable_krb5=no in the
>> > auditd.conf on the aggregative server.
>>
>> Good. Cause doing a krb5 connection without setting that up will cause it
>> to
>> fail also. I'd bet on iptables being the problem.
>>
>> -Steve
>>
>>
>> > > > 192.168.103.7 is the IP address of the central log server.
>> > > >
>> > > > Notes: My settings are below:
>> > > >
>> > > > on server as well on client:
>> > > > /etc/audisp/audisp-remote
>> > > >
>> > > > remote_server = 192.168.103.7
>> > > > port = 6999
>> > > > local_port = 6999
>> > > > transport = tcp
>> > > > queue_file = /var/spool/audit/remote.log
>> > > > mode = immediate
>> > > > queue_depth = 2048
>> > > > format = ascii
>> > > > network_retry_time = 100
>> > >
>> > > This is probably not your problem but managed is the normal setting
>> for
>> > > format. And do you have enable_krb5 set to no?
>> > >
>> > > > I have enabled name_format=HOSTNAME only in one place (in
>> > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf
>> > > >
>> > > > entries in auditd.conf:
>> > > >
>> > > > rtcp_listen_port = 6999
>> > > > tcp_listen_queue = 5
>> > > > tcp_max_per_addr = 10
>> > > > tcp_client_ports = 0-65535
>> > > > tcp_client_max_idle = 0
>> > >
>> > > What do you have for use_libwrap and enable_krb5?
>> > >
>> > > The ausearcn info from the aggregating server should tell the reason
>> why
>> > > the
>> > > connection is rejected.
>> > >
>> > > -Steve
>> > >
>> > > > I see the server is listening on the port 6999 as below but its not
>> > > > accepting client request.
>> > > > root@logs:/etc# lsof -i :6999
>> > > > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
>> > > > audisp-re 9091 root    3u  IPv4  33671      0t0  TCP
>> 192.168.103.7:6999
>> > >
>> > > ->
>> > >
>> > > > 192.168.103.7:6999 (ESTABLISHED)
>> > > >
>> > > >
>> > > >
>> > > > Best Regards,
>> > > > Rituraj B
>>
>>
>>
>

[-- Attachment #1.2: Type: text/html, Size: 23997 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Audisp-remote - connection refused.

[Steve Grubb]

On Tuesday, October 3, 2017 8:52:48 AM EDT Rituraj Buddhisagar wrote:
> Hi Steve,
> 
> I did check IPtables and I am not having any rules in there. I have allowed
> the connections in /etc/hosts.allow. But then I do not see auditd listening
> on port 60.
> It just shows "ESSTABLISHED" connection on the aggregating server - which
> is itself!

You should not enable audisp-remote on the aggregating server. Auditd handles 
incoming connections itself.

-Steve

> root@guslogs:/etc/audit# lsof -i :60
> COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> audisp-re 2146 root    3u  IPv4  20368      0t0  TCP 192.168.103.7:60->
> 192.168.103.7:60 (ESTABLISHED)
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# netstat -pan | grep 60
> tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
>      1260/sshd
> tcp    10491   1360 192.168.103.7:60        192.168.103.7:60
>  ESTABLISHED 2146/audisp-remote
> tcp6       0      0 :::22                   :::*                    LISTEN
>      1260/sshd
> unix  2      [ ACC ]     STREAM     LISTENING     16055    1925/0
>    /tmp/ssh-h0brbTMA4a/agent.1925
> unix  3      [ ]         STREAM     CONNECTED     13777    1260/sshd
> 
> unix  2      [ ]         DGRAM                    17760    1897/systemd
> 
> unix  3      [ ]         STREAM     CONNECTED     16036    1897/systemd
> 
> unix  2      [ ]         DGRAM                    20360    2136/auditd
> 
> unix  3      [ ]         STREAM     CONNECTED     13260    1/init
>    /run/systemd/journal/stdout
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# netstat -tanp | grep auditd
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# cat /etc/hosts.allow
> # /etc/hosts.allow: list of hosts that are allowed to access the system.
> #                   See the manual pages hosts_access(5) and
> hosts_options(5).
> #
> # Example:    ALL: LOCAL @some_netgroup
> #             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
> #
> # If you're going to protect the portmapper use the name "rpcbind" for the
> # daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
> #
> 
> ALL: ALL
> root@guslogs:/etc/audit#
> 
> 
> Best Regards,
> Rituraj B
> 
> On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote:
> > > P
> > > ​lease see inline-
> > > 
> > > regards
> > > ​
> > > 
> > > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote:
> > > > > Hi
> > > > > 
> > > > > I tried my best to configure the audisp-remote.
> > > > > I am getting below error on the client machine in /var/log/syslog.
> > > > > 
> > > > > Oct  2 14:41:15 xxxxxx audisp-remote: Error connecting to
> > 
> > 192.168.103.7:
> > > > > Connection refused
> > > > 
> > > > On the server, what do you get for:
> > > > 
> > > > ausearch --start recent -m DAEMON_ACCEPT -i
> > > > 
> > > > The server side records some information about why it did not allow a
> > > > connection.
> > > 
> > > ​I dont see any info in here.
> > > 
> > > # ausearch --start recent -m DAEMON_ACCEPT -i
> > > <no matches>
> > 
> > Then its not connecting at all. Maybe your firewall is blocking it. Maybe
> > selinux is blocking it? Once auditd sees its socket is readable, it calls
> > accept(2) and there is no path through the code that doesn't log an event
> > with
> > a reason. Every possible failure logs a distinct reason why the connection
> > failed.
> > 
> > > I tried without --start & -i options as well.
> > 
> > --start today if you didn't connect within 10 minutes of running the
> > command.
> > 
> > > But when I do a tcpdump on central server, I do see requests coming in.
> > 
> > (I
> > 
> > > changed port to 60).
> > > # tcpdump -i eth1 '( port 60 )'
> > > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
> > 
> > 4076269451,
> > 
> > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
> > > length 0
> > > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
> > > 4076269452, win 0, length 0
> > > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
> > 
> > 4076287474,
> > 
> > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
> > > length 0
> > > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
> > > 18024, win 0, length 0
> > > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
> > 
> > 4076300652,
> > 
> > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
> > > length 0
> > > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
> > > 31202, win 0, length 0
> > > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
> > 
> > 4076306151,
> > 
> > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
> > > length 0
> > > 
> > > I think the service is only listening locally and not for remote
> > > connections?
> > 
> > It opens a socket on all addresses.
> > # netstat -tanp | grep auditd
> > tcp        0      0 0.0.0.0:60              0.0.0.0:*               LISTEN
> > 893/auditd
> > 
> > > root@logs:/etc/audit# lsof -i :60
> > > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> > > audisp-re 1713 root    3u  IPv4  17433      0t0  TCP 192.168.103.7:60->
> > > 192.168.103.7:60 (ESTABLISHED)
> > > 
> > > 
> > > How do I see that I am using libwrap?
> > 
> > It should have a config line in auditd.conf. If you do not, it defaults to
> > yes. That means it looks in /etc/hosts.allow and hosts.deny to decide.
> > Odds
> > are you put nothing there and the connection proceeds. If I were to guess,
> > I'd
> > say iptables is blocking your connection.
> > 
> > > I have enable_krb5=no in the
> > > auditd.conf on the aggregative server.
> > 
> > Good. Cause doing a krb5 connection without setting that up will cause it
> > to
> > fail also. I'd bet on iptables being the problem.
> > 
> > -Steve
> > 
> > > > > 192.168.103.7 is the IP address of the central log server.
> > > > > 
> > > > > Notes: My settings are below:
> > > > > 
> > > > > on server as well on client:
> > > > > /etc/audisp/audisp-remote
> > > > > 
> > > > > remote_server = 192.168.103.7
> > > > > port = 6999
> > > > > local_port = 6999
> > > > > transport = tcp
> > > > > queue_file = /var/spool/audit/remote.log
> > > > > mode = immediate
> > > > > queue_depth = 2048
> > > > > format = ascii
> > > > > network_retry_time = 100
> > > > 
> > > > This is probably not your problem but managed is the normal setting
> > > > for
> > > > format. And do you have enable_krb5 set to no?
> > > > 
> > > > > I have enabled name_format=HOSTNAME only in one place (in
> > > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf
> > > > > 
> > > > > entries in auditd.conf:
> > > > > 
> > > > > rtcp_listen_port = 6999
> > > > > tcp_listen_queue = 5
> > > > > tcp_max_per_addr = 10
> > > > > tcp_client_ports = 0-65535
> > > > > tcp_client_max_idle = 0
> > > > 
> > > > What do you have for use_libwrap and enable_krb5?
> > > > 
> > > > The ausearcn info from the aggregating server should tell the reason
> > 
> > why
> > 
> > > > the
> > > > connection is rejected.
> > > > 
> > > > -Steve
> > > > 
> > > > > I see the server is listening on the port 6999 as below but its not
> > > > > accepting client request.
> > > > > root@logs:/etc# lsof -i :6999
> > > > > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> > > > > audisp-re 9091 root    3u  IPv4  33671      0t0  TCP
> > 
> > 192.168.103.7:6999
> > 
> > > > ->
> > > > 
> > > > > 192.168.103.7:6999 (ESTABLISHED)
> > > > > 
> > > > > 
> > > > > 
> > > > > Best Regards,
> > > > > Rituraj B



--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: Audisp-remote - connection refused.

[Rituraj Buddhisagar]

[-- Attachment #1.1: Type: text/plain, Size: 10945 bytes --]

Hi Steve / Audit List ;

I have this issue because Ubuntu has disabled support for listener in their
distribution !!

On a blog I found that Debian has not disabled it but the Ubuntu
distribution has.

I found this when I ran auditd in foreground with -f option.

Listener support is not enabled, ignoring value at line 25
tcp_listen_queue_parser called with: 5
Listener support is not enabled, ignoring value at line 26
tcp_max_per_addr_parser called with: 1
Listener support is not enabled, ignoring value at line 27
tcp_listen_queue_parser called with: 1024-65535
Listener support is not enabled, ignoring value at line 28
tcp_client_max_idle_parser called with: 0


Steve, I then went to source site ( https://people.redhat.com/sgrubb/audit/
) and downloaded a zip from there.

I am doing a install using below config command : it fails with
python-packages dependency.
./configure --prefix=/usr/local --sbindir=/usr/local/sbin --with-python=yes
--with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes
............
.............
.............

checking for python platform... linux2
checking for python script directory...
${prefix}/lib/python2.7/dist-packages
checking for python extension module directory...
${exec_prefix}/lib/python2.7/dist-packages
configure: error: Python explicitly requested and python headers were not
found
root@guslogs:/usr/src/audit-2.7.8#


Please can you tell me which dependent packages I need to download and
configure apart from python? (with a source link would help).


I see on the site that you have included - "Improved Remote Logging" in the
Roadmap :) Appreciate it and anticipating it !

In the meanwhile I am also thinking of requesting Ubuntu for adding this
support - not sure why they did this, what is their logic behind this. I
hereby request if you can do something from your end to discuss with Ubuntu
maintenars to enable this - as there is a HUGE Linux support base out there
using that distro.

Thanks!






Best Regards,
Rituraj B


On Tue, Oct 3, 2017 at 8:38 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Tuesday, October 3, 2017 8:52:48 AM EDT Rituraj Buddhisagar wrote:
> > Hi Steve,
> >
> > I did check IPtables and I am not having any rules in there. I have
> allowed
> > the connections in /etc/hosts.allow. But then I do not see auditd
> listening
> > on port 60.
> > It just shows "ESSTABLISHED" connection on the aggregating server - which
> > is itself!
>
> You should not enable audisp-remote on the aggregating server. Auditd
> handles
> incoming connections itself.
>
> -Steve
>
> > root@guslogs:/etc/audit# lsof -i :60
> > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> > audisp-re 2146 root    3u  IPv4  20368      0t0  TCP 192.168.103.7:60->
> > 192.168.103.7:60 (ESTABLISHED)
> > root@guslogs:/etc/audit#
> > root@guslogs:/etc/audit# netstat -pan | grep 60
> > tcp        0      0 0.0.0.0:22              0.0.0.0:*
>  LISTEN
> >      1260/sshd
> > tcp    10491   1360 192.168.103.7:60        192.168.103.7:60
> >  ESTABLISHED 2146/audisp-remote
> > tcp6       0      0 :::22                   :::*
> LISTEN
> >      1260/sshd
> > unix  2      [ ACC ]     STREAM     LISTENING     16055    1925/0
> >    /tmp/ssh-h0brbTMA4a/agent.1925
> > unix  3      [ ]         STREAM     CONNECTED     13777    1260/sshd
> >
> > unix  2      [ ]         DGRAM                    17760    1897/systemd
> >
> > unix  3      [ ]         STREAM     CONNECTED     16036    1897/systemd
> >
> > unix  2      [ ]         DGRAM                    20360    2136/auditd
> >
> > unix  3      [ ]         STREAM     CONNECTED     13260    1/init
> >    /run/systemd/journal/stdout
> > root@guslogs:/etc/audit#
> > root@guslogs:/etc/audit# netstat -tanp | grep auditd
> > root@guslogs:/etc/audit#
> > root@guslogs:/etc/audit# iptables -L
> > Chain INPUT (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Chain FORWARD (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination
> > root@guslogs:/etc/audit#
> > root@guslogs:/etc/audit# cat /etc/hosts.allow
> > # /etc/hosts.allow: list of hosts that are allowed to access the system.
> > #                   See the manual pages hosts_access(5) and
> > hosts_options(5).
> > #
> > # Example:    ALL: LOCAL @some_netgroup
> > #             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
> > #
> > # If you're going to protect the portmapper use the name "rpcbind" for
> the
> > # daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
> > #
> >
> > ALL: ALL
> > root@guslogs:/etc/audit#
> >
> >
> > Best Regards,
> > Rituraj B
> >
> > On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > > On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote:
> > > > P
> > > > ​lease see inline-
> > > >
> > > > regards
> > > > ​
> > > >
> > > > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com>
> wrote:
> > > > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar
> wrote:
> > > > > > Hi
> > > > > >
> > > > > > I tried my best to configure the audisp-remote.
> > > > > > I am getting below error on the client machine in
> /var/log/syslog.
> > > > > >
> > > > > > Oct  2 14:41:15 xxxxxx audisp-remote: Error connecting to
> > >
> > > 192.168.103.7:
> > > > > > Connection refused
> > > > >
> > > > > On the server, what do you get for:
> > > > >
> > > > > ausearch --start recent -m DAEMON_ACCEPT -i
> > > > >
> > > > > The server side records some information about why it did not
> allow a
> > > > > connection.
> > > >
> > > > ​I dont see any info in here.
> > > >
> > > > # ausearch --start recent -m DAEMON_ACCEPT -i
> > > > <no matches>
> > >
> > > Then its not connecting at all. Maybe your firewall is blocking it.
> Maybe
> > > selinux is blocking it? Once auditd sees its socket is readable, it
> calls
> > > accept(2) and there is no path through the code that doesn't log an
> event
> > > with
> > > a reason. Every possible failure logs a distinct reason why the
> connection
> > > failed.
> > >
> > > > I tried without --start & -i options as well.
> > >
> > > --start today if you didn't connect within 10 minutes of running the
> > > command.
> > >
> > > > But when I do a tcpdump on central server, I do see requests coming
> in.
> > >
> > > (I
> > >
> > > > changed port to 60).
> > > > # tcpdump -i eth1 '( port 60 )'
> > > > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
> > >
> > > 4076269451,
> > >
> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale
> 7],
> > > > length 0
> > > > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0,
> ack
> > > > 4076269452, win 0, length 0
> > > > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
> > >
> > > 4076287474,
> > >
> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale
> 7],
> > > > length 0
> > > > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0,
> ack
> > > > 18024, win 0, length 0
> > > > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
> > >
> > > 4076300652,
> > >
> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale
> 7],
> > > > length 0
> > > > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0,
> ack
> > > > 31202, win 0, length 0
> > > > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
> > >
> > > 4076306151,
> > >
> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale
> 7],
> > > > length 0
> > > >
> > > > I think the service is only listening locally and not for remote
> > > > connections?
> > >
> > > It opens a socket on all addresses.
> > > # netstat -tanp | grep auditd
> > > tcp        0      0 0.0.0.0:60              0.0.0.0:*
>  LISTEN
> > > 893/auditd
> > >
> > > > root@logs:/etc/audit# lsof -i :60
> > > > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> > > > audisp-re 1713 root    3u  IPv4  17433      0t0  TCP 192.168.103.7:60
> ->
> > > > 192.168.103.7:60 (ESTABLISHED)
> > > >
> > > >
> > > > How do I see that I am using libwrap?
> > >
> > > It should have a config line in auditd.conf. If you do not, it
> defaults to
> > > yes. That means it looks in /etc/hosts.allow and hosts.deny to decide.
> > > Odds
> > > are you put nothing there and the connection proceeds. If I were to
> guess,
> > > I'd
> > > say iptables is blocking your connection.
> > >
> > > > I have enable_krb5=no in the
> > > > auditd.conf on the aggregative server.
> > >
> > > Good. Cause doing a krb5 connection without setting that up will cause
> it
> > > to
> > > fail also. I'd bet on iptables being the problem.
> > >
> > > -Steve
> > >
> > > > > > 192.168.103.7 is the IP address of the central log server.
> > > > > >
> > > > > > Notes: My settings are below:
> > > > > >
> > > > > > on server as well on client:
> > > > > > /etc/audisp/audisp-remote
> > > > > >
> > > > > > remote_server = 192.168.103.7
> > > > > > port = 6999
> > > > > > local_port = 6999
> > > > > > transport = tcp
> > > > > > queue_file = /var/spool/audit/remote.log
> > > > > > mode = immediate
> > > > > > queue_depth = 2048
> > > > > > format = ascii
> > > > > > network_retry_time = 100
> > > > >
> > > > > This is probably not your problem but managed is the normal setting
> > > > > for
> > > > > format. And do you have enable_krb5 set to no?
> > > > >
> > > > > > I have enabled name_format=HOSTNAME only in one place (in
> > > > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf
> > > > > >
> > > > > > entries in auditd.conf:
> > > > > >
> > > > > > rtcp_listen_port = 6999
> > > > > > tcp_listen_queue = 5
> > > > > > tcp_max_per_addr = 10
> > > > > > tcp_client_ports = 0-65535
> > > > > > tcp_client_max_idle = 0
> > > > >
> > > > > What do you have for use_libwrap and enable_krb5?
> > > > >
> > > > > The ausearcn info from the aggregating server should tell the
> reason
> > >
> > > why
> > >
> > > > > the
> > > > > connection is rejected.
> > > > >
> > > > > -Steve
> > > > >
> > > > > > I see the server is listening on the port 6999 as below but its
> not
> > > > > > accepting client request.
> > > > > > root@logs:/etc# lsof -i :6999
> > > > > > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> > > > > > audisp-re 9091 root    3u  IPv4  33671      0t0  TCP
> > >
> > > 192.168.103.7:6999
> > >
> > > > > ->
> > > > >
> > > > > > 192.168.103.7:6999 (ESTABLISHED)
> > > > > >
> > > > > >
> > > > > >
> > > > > > Best Regards,
> > > > > > Rituraj B
>
>
>

[-- Attachment #1.2: Type: text/html, Size: 18522 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Audisp-remote - connection refused.

[Rituraj Buddhisagar]

[-- Attachment #1.1: Type: text/plain, Size: 11992 bytes --]

Sorry if this seems like a spamming, but after I sent the earlier mail - I
did install from source successfully with only --prefix=/usr/local

I am now facing issue like the below:

root@guslogs:/etc/init.d# /usr/local/sbin/auditd
/usr/local/sbin/auditd: symbol lookup error: /usr/local/sbin/auditd:
undefined symbol: auparse_destroy_ext

If someone can point me to a clean and easy install with dependencies from
source it would help.

Steve, please see my previous mail regarding Ubuntu. Thanks a lot for help!



Best Regards,
Rituraj B


On Wed, Oct 4, 2017 at 12:10 AM, Rituraj Buddhisagar <rituraj@vayana.com>
wrote:

> Hi Steve / Audit List ;
>
> I have this issue because Ubuntu has disabled support for listener in
> their distribution !!
>
> On a blog I found that Debian has not disabled it but the Ubuntu
> distribution has.
>
> I found this when I ran auditd in foreground with -f option.
>
> Listener support is not enabled, ignoring value at line 25
> tcp_listen_queue_parser called with: 5
> Listener support is not enabled, ignoring value at line 26
> tcp_max_per_addr_parser called with: 1
> Listener support is not enabled, ignoring value at line 27
> tcp_listen_queue_parser called with: 1024-65535
> Listener support is not enabled, ignoring value at line 28
> tcp_client_max_idle_parser called with: 0
>
>
> Steve, I then went to source site ( https://people.redhat.com/
> sgrubb/audit/ ) and downloaded a zip from there.
>
> I am doing a install using below config command : it fails with
> python-packages dependency.
> ./configure --prefix=/usr/local --sbindir=/usr/local/sbin
> --with-python=yes --with-libwrap --enable-gssapi-krb5=yes
> --with-libcap-ng=yes
> ............
> .............
> .............
>
> checking for python platform... linux2
> checking for python script directory... ${prefix}/lib/python2.7/dist-
> packages
> checking for python extension module directory...
> ${exec_prefix}/lib/python2.7/dist-packages
> configure: error: Python explicitly requested and python headers were not
> found
> root@guslogs:/usr/src/audit-2.7.8#
>
>
> Please can you tell me which dependent packages I need to download and
> configure apart from python? (with a source link would help).
>
>
> I see on the site that you have included - "Improved Remote Logging" in
> the Roadmap :) Appreciate it and anticipating it !
>
> In the meanwhile I am also thinking of requesting Ubuntu for adding this
> support - not sure why they did this, what is their logic behind this. I
> hereby request if you can do something from your end to discuss with Ubuntu
> maintenars to enable this - as there is a HUGE Linux support base out there
> using that distro.
>
> Thanks!
>
>
>
>
>
>
> Best Regards,
> Rituraj B
>
>
> On Tue, Oct 3, 2017 at 8:38 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
>> On Tuesday, October 3, 2017 8:52:48 AM EDT Rituraj Buddhisagar wrote:
>> > Hi Steve,
>> >
>> > I did check IPtables and I am not having any rules in there. I have
>> allowed
>> > the connections in /etc/hosts.allow. But then I do not see auditd
>> listening
>> > on port 60.
>> > It just shows "ESSTABLISHED" connection on the aggregating server -
>> which
>> > is itself!
>>
>> You should not enable audisp-remote on the aggregating server. Auditd
>> handles
>> incoming connections itself.
>>
>> -Steve
>>
>> > root@guslogs:/etc/audit# lsof -i :60
>> > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
>> > audisp-re 2146 root    3u  IPv4  20368      0t0  TCP 192.168.103.7:60->
>> > 192.168.103.7:60 (ESTABLISHED)
>> > root@guslogs:/etc/audit#
>> > root@guslogs:/etc/audit# netstat -pan | grep 60
>> > tcp        0      0 0.0.0.0:22              0.0.0.0:*
>>  LISTEN
>> >      1260/sshd
>> > tcp    10491   1360 192.168.103.7:60        192.168.103.7:60
>> >  ESTABLISHED 2146/audisp-remote
>> > tcp6       0      0 :::22                   :::*
>> LISTEN
>> >      1260/sshd
>> > unix  2      [ ACC ]     STREAM     LISTENING     16055    1925/0
>> >    /tmp/ssh-h0brbTMA4a/agent.1925
>> > unix  3      [ ]         STREAM     CONNECTED     13777    1260/sshd
>> >
>> > unix  2      [ ]         DGRAM                    17760    1897/systemd
>> >
>> > unix  3      [ ]         STREAM     CONNECTED     16036    1897/systemd
>> >
>> > unix  2      [ ]         DGRAM                    20360    2136/auditd
>> >
>> > unix  3      [ ]         STREAM     CONNECTED     13260    1/init
>> >    /run/systemd/journal/stdout
>> > root@guslogs:/etc/audit#
>> > root@guslogs:/etc/audit# netstat -tanp | grep auditd
>> > root@guslogs:/etc/audit#
>> > root@guslogs:/etc/audit# iptables -L
>> > Chain INPUT (policy ACCEPT)
>> > target     prot opt source               destination
>> >
>> > Chain FORWARD (policy ACCEPT)
>> > target     prot opt source               destination
>> >
>> > Chain OUTPUT (policy ACCEPT)
>> > target     prot opt source               destination
>> > root@guslogs:/etc/audit#
>> > root@guslogs:/etc/audit# cat /etc/hosts.allow
>> > # /etc/hosts.allow: list of hosts that are allowed to access the system.
>> > #                   See the manual pages hosts_access(5) and
>> > hosts_options(5).
>> > #
>> > # Example:    ALL: LOCAL @some_netgroup
>> > #             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
>> > #
>> > # If you're going to protect the portmapper use the name "rpcbind" for
>> the
>> > # daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
>> > #
>> >
>> > ALL: ALL
>> > root@guslogs:/etc/audit#
>> >
>> >
>> > Best Regards,
>> > Rituraj B
>> >
>> > On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>> > > On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote:
>> > > > P
>> > > > ​lease see inline-
>> > > >
>> > > > regards
>> > > > ​
>> > > >
>> > > > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com>
>> wrote:
>> > > > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar
>> wrote:
>> > > > > > Hi
>> > > > > >
>> > > > > > I tried my best to configure the audisp-remote.
>> > > > > > I am getting below error on the client machine in
>> /var/log/syslog.
>> > > > > >
>> > > > > > Oct  2 14:41:15 xxxxxx audisp-remote: Error connecting to
>> > >
>> > > 192.168.103.7:
>> > > > > > Connection refused
>> > > > >
>> > > > > On the server, what do you get for:
>> > > > >
>> > > > > ausearch --start recent -m DAEMON_ACCEPT -i
>> > > > >
>> > > > > The server side records some information about why it did not
>> allow a
>> > > > > connection.
>> > > >
>> > > > ​I dont see any info in here.
>> > > >
>> > > > # ausearch --start recent -m DAEMON_ACCEPT -i
>> > > > <no matches>
>> > >
>> > > Then its not connecting at all. Maybe your firewall is blocking it.
>> Maybe
>> > > selinux is blocking it? Once auditd sees its socket is readable, it
>> calls
>> > > accept(2) and there is no path through the code that doesn't log an
>> event
>> > > with
>> > > a reason. Every possible failure logs a distinct reason why the
>> connection
>> > > failed.
>> > >
>> > > > I tried without --start & -i options as well.
>> > >
>> > > --start today if you didn't connect within 10 minutes of running the
>> > > command.
>> > >
>> > > > But when I do a tcpdump on central server, I do see requests coming
>> in.
>> > >
>> > > (I
>> > >
>> > > > changed port to 60).
>> > > > # tcpdump -i eth1 '( port 60 )'
>> > > > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
>> > >
>> > > 4076269451,
>> > >
>> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale
>> 7],
>> > > > length 0
>> > > > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0,
>> ack
>> > > > 4076269452, win 0, length 0
>> > > > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
>> > >
>> > > 4076287474,
>> > >
>> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale
>> 7],
>> > > > length 0
>> > > > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0,
>> ack
>> > > > 18024, win 0, length 0
>> > > > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
>> > >
>> > > 4076300652,
>> > >
>> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale
>> 7],
>> > > > length 0
>> > > > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0,
>> ack
>> > > > 31202, win 0, length 0
>> > > > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
>> > >
>> > > 4076306151,
>> > >
>> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale
>> 7],
>> > > > length 0
>> > > >
>> > > > I think the service is only listening locally and not for remote
>> > > > connections?
>> > >
>> > > It opens a socket on all addresses.
>> > > # netstat -tanp | grep auditd
>> > > tcp        0      0 0.0.0.0:60              0.0.0.0:*
>>  LISTEN
>> > > 893/auditd
>> > >
>> > > > root@logs:/etc/audit# lsof -i :60
>> > > > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
>> > > > audisp-re 1713 root    3u  IPv4  17433      0t0  TCP
>> 192.168.103.7:60->
>> > > > 192.168.103.7:60 (ESTABLISHED)
>> > > >
>> > > >
>> > > > How do I see that I am using libwrap?
>> > >
>> > > It should have a config line in auditd.conf. If you do not, it
>> defaults to
>> > > yes. That means it looks in /etc/hosts.allow and hosts.deny to decide.
>> > > Odds
>> > > are you put nothing there and the connection proceeds. If I were to
>> guess,
>> > > I'd
>> > > say iptables is blocking your connection.
>> > >
>> > > > I have enable_krb5=no in the
>> > > > auditd.conf on the aggregative server.
>> > >
>> > > Good. Cause doing a krb5 connection without setting that up will
>> cause it
>> > > to
>> > > fail also. I'd bet on iptables being the problem.
>> > >
>> > > -Steve
>> > >
>> > > > > > 192.168.103.7 is the IP address of the central log server.
>> > > > > >
>> > > > > > Notes: My settings are below:
>> > > > > >
>> > > > > > on server as well on client:
>> > > > > > /etc/audisp/audisp-remote
>> > > > > >
>> > > > > > remote_server = 192.168.103.7
>> > > > > > port = 6999
>> > > > > > local_port = 6999
>> > > > > > transport = tcp
>> > > > > > queue_file = /var/spool/audit/remote.log
>> > > > > > mode = immediate
>> > > > > > queue_depth = 2048
>> > > > > > format = ascii
>> > > > > > network_retry_time = 100
>> > > > >
>> > > > > This is probably not your problem but managed is the normal
>> setting
>> > > > > for
>> > > > > format. And do you have enable_krb5 set to no?
>> > > > >
>> > > > > > I have enabled name_format=HOSTNAME only in one place (in
>> > > > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf
>> > > > > >
>> > > > > > entries in auditd.conf:
>> > > > > >
>> > > > > > rtcp_listen_port = 6999
>> > > > > > tcp_listen_queue = 5
>> > > > > > tcp_max_per_addr = 10
>> > > > > > tcp_client_ports = 0-65535
>> > > > > > tcp_client_max_idle = 0
>> > > > >
>> > > > > What do you have for use_libwrap and enable_krb5?
>> > > > >
>> > > > > The ausearcn info from the aggregating server should tell the
>> reason
>> > >
>> > > why
>> > >
>> > > > > the
>> > > > > connection is rejected.
>> > > > >
>> > > > > -Steve
>> > > > >
>> > > > > > I see the server is listening on the port 6999 as below but its
>> not
>> > > > > > accepting client request.
>> > > > > > root@logs:/etc# lsof -i :6999
>> > > > > > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
>> > > > > > audisp-re 9091 root    3u  IPv4  33671      0t0  TCP
>> > >
>> > > 192.168.103.7:6999
>> > >
>> > > > > ->
>> > > > >
>> > > > > > 192.168.103.7:6999 (ESTABLISHED)
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > > Best Regards,
>> > > > > > Rituraj B
>>
>>
>>
>

[-- Attachment #1.2: Type: text/html, Size: 21067 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Audisp-remote - connection refused.

[Rituraj Buddhisagar]

[-- Attachment #1.1: Type: text/plain, Size: 13038 bytes --]

Steve,

Here is the relevant discussion on disabling the tcp listener on Ubuntu.
https://www.redhat.com/archives/linux-audit/2012-September/msg00027.html

I do not know what exactly caused change - but now I think it should be
enabled in distributions.

Please let me know.

Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from source
now. Still audispd is not started now - what is the way / sequence to start
auditd and audispd - if you can point me to some reference or a startup
script will help.

Thanks!







On Wed, Oct 4, 2017 at 12:38 AM, Rituraj Buddhisagar <rituraj@vayana.com>
wrote:

> Sorry if this seems like a spamming, but after I sent the earlier mail - I
> did install from source successfully with only --prefix=/usr/local
>
> I am now facing issue like the below:
>
> root@guslogs:/etc/init.d# /usr/local/sbin/auditd
> /usr/local/sbin/auditd: symbol lookup error: /usr/local/sbin/auditd:
> undefined symbol: auparse_destroy_ext
>
> If someone can point me to a clean and easy install with dependencies from
> source it would help.
>
> Steve, please see my previous mail regarding Ubuntu. Thanks a lot for help!
>
>
>
> Best Regards,
> Rituraj B
>
>
> On Wed, Oct 4, 2017 at 12:10 AM, Rituraj Buddhisagar <rituraj@vayana.com>
> wrote:
>
>> Hi Steve / Audit List ;
>>
>> I have this issue because Ubuntu has disabled support for listener in
>> their distribution !!
>>
>> On a blog I found that Debian has not disabled it but the Ubuntu
>> distribution has.
>>
>> I found this when I ran auditd in foreground with -f option.
>>
>> Listener support is not enabled, ignoring value at line 25
>> tcp_listen_queue_parser called with: 5
>> Listener support is not enabled, ignoring value at line 26
>> tcp_max_per_addr_parser called with: 1
>> Listener support is not enabled, ignoring value at line 27
>> tcp_listen_queue_parser called with: 1024-65535
>> Listener support is not enabled, ignoring value at line 28
>> tcp_client_max_idle_parser called with: 0
>>
>>
>> Steve, I then went to source site ( https://people.redhat.com/sgru
>> bb/audit/ ) and downloaded a zip from there.
>>
>> I am doing a install using below config command : it fails with
>> python-packages dependency.
>> ./configure --prefix=/usr/local --sbindir=/usr/local/sbin
>> --with-python=yes --with-libwrap --enable-gssapi-krb5=yes
>> --with-libcap-ng=yes
>> ............
>> .............
>> .............
>>
>> checking for python platform... linux2
>> checking for python script directory... ${prefix}/lib/python2.7/dist-p
>> ackages
>> checking for python extension module directory...
>> ${exec_prefix}/lib/python2.7/dist-packages
>> configure: error: Python explicitly requested and python headers were not
>> found
>> root@guslogs:/usr/src/audit-2.7.8#
>>
>>
>> Please can you tell me which dependent packages I need to download and
>> configure apart from python? (with a source link would help).
>>
>>
>> I see on the site that you have included - "Improved Remote Logging" in
>> the Roadmap :) Appreciate it and anticipating it !
>>
>> In the meanwhile I am also thinking of requesting Ubuntu for adding this
>> support - not sure why they did this, what is their logic behind this. I
>> hereby request if you can do something from your end to discuss with Ubuntu
>> maintenars to enable this - as there is a HUGE Linux support base out there
>> using that distro.
>>
>> Thanks!
>>
>>
>>
>>
>>
>>
>> Best Regards,
>> Rituraj B
>>
>>
>> On Tue, Oct 3, 2017 at 8:38 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>>
>>> On Tuesday, October 3, 2017 8:52:48 AM EDT Rituraj Buddhisagar wrote:
>>> > Hi Steve,
>>> >
>>> > I did check IPtables and I am not having any rules in there. I have
>>> allowed
>>> > the connections in /etc/hosts.allow. But then I do not see auditd
>>> listening
>>> > on port 60.
>>> > It just shows "ESSTABLISHED" connection on the aggregating server -
>>> which
>>> > is itself!
>>>
>>> You should not enable audisp-remote on the aggregating server. Auditd
>>> handles
>>> incoming connections itself.
>>>
>>> -Steve
>>>
>>> > root@guslogs:/etc/audit# lsof -i :60
>>> > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
>>> > audisp-re 2146 root    3u  IPv4  20368      0t0  TCP 192.168.103.7:60
>>> ->
>>> > 192.168.103.7:60 (ESTABLISHED)
>>> > root@guslogs:/etc/audit#
>>> > root@guslogs:/etc/audit# netstat -pan | grep 60
>>> > tcp        0      0 0.0.0.0:22              0.0.0.0:*
>>>  LISTEN
>>> >      1260/sshd
>>> > tcp    10491   1360 192.168.103.7:60        192.168.103.7:60
>>> >  ESTABLISHED 2146/audisp-remote
>>> > tcp6       0      0 :::22                   :::*
>>> LISTEN
>>> >      1260/sshd
>>> > unix  2      [ ACC ]     STREAM     LISTENING     16055    1925/0
>>> >    /tmp/ssh-h0brbTMA4a/agent.1925
>>> > unix  3      [ ]         STREAM     CONNECTED     13777    1260/sshd
>>> >
>>> > unix  2      [ ]         DGRAM                    17760    1897/systemd
>>> >
>>> > unix  3      [ ]         STREAM     CONNECTED     16036    1897/systemd
>>> >
>>> > unix  2      [ ]         DGRAM                    20360    2136/auditd
>>> >
>>> > unix  3      [ ]         STREAM     CONNECTED     13260    1/init
>>> >    /run/systemd/journal/stdout
>>> > root@guslogs:/etc/audit#
>>> > root@guslogs:/etc/audit# netstat -tanp | grep auditd
>>> > root@guslogs:/etc/audit#
>>> > root@guslogs:/etc/audit# iptables -L
>>> > Chain INPUT (policy ACCEPT)
>>> > target     prot opt source               destination
>>> >
>>> > Chain FORWARD (policy ACCEPT)
>>> > target     prot opt source               destination
>>> >
>>> > Chain OUTPUT (policy ACCEPT)
>>> > target     prot opt source               destination
>>> > root@guslogs:/etc/audit#
>>> > root@guslogs:/etc/audit# cat /etc/hosts.allow
>>> > # /etc/hosts.allow: list of hosts that are allowed to access the
>>> system.
>>> > #                   See the manual pages hosts_access(5) and
>>> > hosts_options(5).
>>> > #
>>> > # Example:    ALL: LOCAL @some_netgroup
>>> > #             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
>>> > #
>>> > # If you're going to protect the portmapper use the name "rpcbind" for
>>> the
>>> > # daemon name. See rpcbind(8) and rpc.mountd(8) for further
>>> information.
>>> > #
>>> >
>>> > ALL: ALL
>>> > root@guslogs:/etc/audit#
>>> >
>>> >
>>> > Best Regards,
>>> > Rituraj B
>>> >
>>> > On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>>> > > On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote:
>>> > > > P
>>> > > > ​lease see inline-
>>> > > >
>>> > > > regards
>>> > > > ​
>>> > > >
>>> > > > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com>
>>> wrote:
>>> > > > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar
>>> wrote:
>>> > > > > > Hi
>>> > > > > >
>>> > > > > > I tried my best to configure the audisp-remote.
>>> > > > > > I am getting below error on the client machine in
>>> /var/log/syslog.
>>> > > > > >
>>> > > > > > Oct  2 14:41:15 xxxxxx audisp-remote: Error connecting to
>>> > >
>>> > > 192.168.103.7:
>>> > > > > > Connection refused
>>> > > > >
>>> > > > > On the server, what do you get for:
>>> > > > >
>>> > > > > ausearch --start recent -m DAEMON_ACCEPT -i
>>> > > > >
>>> > > > > The server side records some information about why it did not
>>> allow a
>>> > > > > connection.
>>> > > >
>>> > > > ​I dont see any info in here.
>>> > > >
>>> > > > # ausearch --start recent -m DAEMON_ACCEPT -i
>>> > > > <no matches>
>>> > >
>>> > > Then its not connecting at all. Maybe your firewall is blocking it.
>>> Maybe
>>> > > selinux is blocking it? Once auditd sees its socket is readable, it
>>> calls
>>> > > accept(2) and there is no path through the code that doesn't log an
>>> event
>>> > > with
>>> > > a reason. Every possible failure logs a distinct reason why the
>>> connection
>>> > > failed.
>>> > >
>>> > > > I tried without --start & -i options as well.
>>> > >
>>> > > --start today if you didn't connect within 10 minutes of running the
>>> > > command.
>>> > >
>>> > > > But when I do a tcpdump on central server, I do see requests
>>> coming in.
>>> > >
>>> > > (I
>>> > >
>>> > > > changed port to 60).
>>> > > > # tcpdump -i eth1 '( port 60 )'
>>> > > > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
>>> > >
>>> > > 4076269451,
>>> > >
>>> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale
>>> 7],
>>> > > > length 0
>>> > > > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0,
>>> ack
>>> > > > 4076269452, win 0, length 0
>>> > > > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
>>> > >
>>> > > 4076287474,
>>> > >
>>> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale
>>> 7],
>>> > > > length 0
>>> > > > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0,
>>> ack
>>> > > > 18024, win 0, length 0
>>> > > > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
>>> > >
>>> > > 4076300652,
>>> > >
>>> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale
>>> 7],
>>> > > > length 0
>>> > > > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0,
>>> ack
>>> > > > 31202, win 0, length 0
>>> > > > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
>>> > >
>>> > > 4076306151,
>>> > >
>>> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale
>>> 7],
>>> > > > length 0
>>> > > >
>>> > > > I think the service is only listening locally and not for remote
>>> > > > connections?
>>> > >
>>> > > It opens a socket on all addresses.
>>> > > # netstat -tanp | grep auditd
>>> > > tcp        0      0 0.0.0.0:60              0.0.0.0:*
>>>  LISTEN
>>> > > 893/auditd
>>> > >
>>> > > > root@logs:/etc/audit# lsof -i :60
>>> > > > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
>>> > > > audisp-re 1713 root    3u  IPv4  17433      0t0  TCP
>>> 192.168.103.7:60->
>>> > > > 192.168.103.7:60 (ESTABLISHED)
>>> > > >
>>> > > >
>>> > > > How do I see that I am using libwrap?
>>> > >
>>> > > It should have a config line in auditd.conf. If you do not, it
>>> defaults to
>>> > > yes. That means it looks in /etc/hosts.allow and hosts.deny to
>>> decide.
>>> > > Odds
>>> > > are you put nothing there and the connection proceeds. If I were to
>>> guess,
>>> > > I'd
>>> > > say iptables is blocking your connection.
>>> > >
>>> > > > I have enable_krb5=no in the
>>> > > > auditd.conf on the aggregative server.
>>> > >
>>> > > Good. Cause doing a krb5 connection without setting that up will
>>> cause it
>>> > > to
>>> > > fail also. I'd bet on iptables being the problem.
>>> > >
>>> > > -Steve
>>> > >
>>> > > > > > 192.168.103.7 is the IP address of the central log server.
>>> > > > > >
>>> > > > > > Notes: My settings are below:
>>> > > > > >
>>> > > > > > on server as well on client:
>>> > > > > > /etc/audisp/audisp-remote
>>> > > > > >
>>> > > > > > remote_server = 192.168.103.7
>>> > > > > > port = 6999
>>> > > > > > local_port = 6999
>>> > > > > > transport = tcp
>>> > > > > > queue_file = /var/spool/audit/remote.log
>>> > > > > > mode = immediate
>>> > > > > > queue_depth = 2048
>>> > > > > > format = ascii
>>> > > > > > network_retry_time = 100
>>> > > > >
>>> > > > > This is probably not your problem but managed is the normal
>>> setting
>>> > > > > for
>>> > > > > format. And do you have enable_krb5 set to no?
>>> > > > >
>>> > > > > > I have enabled name_format=HOSTNAME only in one place (in
>>> > > > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf
>>> > > > > >
>>> > > > > > entries in auditd.conf:
>>> > > > > >
>>> > > > > > rtcp_listen_port = 6999
>>> > > > > > tcp_listen_queue = 5
>>> > > > > > tcp_max_per_addr = 10
>>> > > > > > tcp_client_ports = 0-65535
>>> > > > > > tcp_client_max_idle = 0
>>> > > > >
>>> > > > > What do you have for use_libwrap and enable_krb5?
>>> > > > >
>>> > > > > The ausearcn info from the aggregating server should tell the
>>> reason
>>> > >
>>> > > why
>>> > >
>>> > > > > the
>>> > > > > connection is rejected.
>>> > > > >
>>> > > > > -Steve
>>> > > > >
>>> > > > > > I see the server is listening on the port 6999 as below but
>>> its not
>>> > > > > > accepting client request.
>>> > > > > > root@logs:/etc# lsof -i :6999
>>> > > > > > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
>>> > > > > > audisp-re 9091 root    3u  IPv4  33671      0t0  TCP
>>> > >
>>> > > 192.168.103.7:6999
>>> > >
>>> > > > > ->
>>> > > > >
>>> > > > > > 192.168.103.7:6999 (ESTABLISHED)
>>> > > > > >
>>> > > > > >
>>> > > > > >
>>> > > > > > Best Regards,
>>> > > > > > Rituraj B
>>>
>>>
>>>
>>
>

[-- Attachment #1.2: Type: text/html, Size: 23837 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Audisp-remote - connection refused.

[Steve Grubb]

On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote:
> Steve,
> 
> Here is the relevant discussion on disabling the tcp listener on Ubuntu.
> https://www.redhat.com/archives/linux-audit/2012-September/msg00027.html
> 
> I do not know what exactly caused change - but now I think it should be
> enabled in distributions.
> 
> Please let me know.
> 
> Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from source
> now. Still audispd is not started now - what is the way / sequence to start
> auditd and audispd - if you can point me to some reference or a startup
> script will help.

Since you installed in a non-standard location, you probably need to adjust 
paths in the config files. 

What I would recommend is not to build and install by hand, but to use their 
package manager to build a new package with listening enabled. The ./configure 
script takes a --disable-listener parameter. So, its probably as simple as 
deleting that in the source package and rebuilding.

That said, I have no idea how to build a package on Debian or Ubuntu.

-Steve

Re: Audisp-remote - connection refused.

[Rituraj Buddhisagar]

[-- Attachment #1.1: Type: text/plain, Size: 2165 bytes --]

Hi Steve / List

Now, I have built auditd from source as per the mail thread and then also
created a startup script.

The auditd is starting successfully.

The client is able to connect to the aggregating server.


*node=guslogs type=DAEMON_ACCEPT msg=audit(1507125123.240:7272):
addr=192.168.103.2 port=60 res=success*


I have made the necessary change in the server in /etc/audit/auditd.conf


*log_format = NOLOG*

I do not see any logs being populated - I checked log file on client, the
server - also the /var/spool/audit/remote.log on the client.
On the server side /var/spool/audit/remote.log is empty (I am not sure if
this is something I should be checking at all)

I am clueless as to what is happening. Is there some way to debug this?
Where are these logs getting lost?
When change the log_format back to RAW I do see the logs getting created on
the client.

I did my best reading on net and debugging this - but no success. Please
help.




On Wed, Oct 4, 2017 at 1:52 AM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote:
> > Steve,
> >
> > Here is the relevant discussion on disabling the tcp listener on Ubuntu.
> > https://www.redhat.com/archives/linux-audit/2012-September/msg00027.html
> >
> > I do not know what exactly caused change - but now I think it should be
> > enabled in distributions.
> >
> > Please let me know.
> >
> > Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from
> source
> > now. Still audispd is not started now - what is the way / sequence to
> start
> > auditd and audispd - if you can point me to some reference or a startup
> > script will help.
>
> Since you installed in a non-standard location, you probably need to adjust
> paths in the config files.
>
> What I would recommend is not to build and install by hand, but to use
> their
> package manager to build a new package with listening enabled. The
> ./configure
> script takes a --disable-listener parameter. So, its probably as simple as
> deleting that in the source package and rebuilding.
>
> That said, I have no idea how to build a package on Debian or Ubuntu.
>
> -Steve
>

[-- Attachment #1.2: Type: text/html, Size: 5382 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Audisp-remote - connection refused.

[Steve Grubb]

On Wednesday, October 4, 2017 10:01:49 AM EDT Rituraj Buddhisagar wrote:
> Hi Steve / List
> 
> Now, I have built auditd from source as per the mail thread and then also
> created a startup script.
> 
> The auditd is starting successfully.
> 
> The client is able to connect to the aggregating server.
> 
> 
> *node=guslogs type=DAEMON_ACCEPT msg=audit(1507125123.240:7272):
> addr=192.168.103.2 port=60 res=success*
> 
> 
> I have made the necessary change in the server in /etc/audit/auditd.conf
> 
> *log_format = NOLOG*

This is a deprecated option tells it to not write anything to disk.

> I do not see any logs being populated - I checked log file on client, the
> server - also the /var/spool/audit/remote.log on the client.
> On the server side /var/spool/audit/remote.log is empty (I am not sure if
> this is something I should be checking at all)
> 
> I am clueless as to what is happening. Is there some way to debug this?

Did you modify auditd.conf to have the format be nolog? If so, its an 
explained condition. Nolog means no logging to disk.

> Where are these logs getting lost?
> When change the log_format back to RAW I do see the logs getting created on
> the client.

For remote logging, you should set the format to enriched. This resolves 
things locally so that the aggregating server can make sense of it later. If 
you do not want events written to disk on the remote system, set write_logs = 
no. You should also set name_format = hostname (or something else) in 
auditd.conf of the remote systems. This is so you can tell who is creating the 
events in the aggregating server.

On the aggregating server, also set the format to enriched. But there you have 
to have write_logs = yes. Also set name_format = hostname in auditd.conf of 
the server.

I would not recommend setting the name in audispd.conf for any system.

-Steve

> I did my best reading on net and debugging this - but no success. Please
> help.
> 
> On Wed, Oct 4, 2017 at 1:52 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote:
> > > Steve,
> > > 
> > > Here is the relevant discussion on disabling the tcp listener on Ubuntu.
> > > https://www.redhat.com/archives/linux-audit/2012-September/msg00027.html
> > > 
> > > I do not know what exactly caused change - but now I think it should be
> > > enabled in distributions.
> > > 
> > > Please let me know.
> > > 
> > > Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from
> > 
> > source
> > 
> > > now. Still audispd is not started now - what is the way / sequence to
> > 
> > start
> > 
> > > auditd and audispd - if you can point me to some reference or a startup
> > > script will help.
> > 
> > Since you installed in a non-standard location, you probably need to
> > adjust
> > paths in the config files.
> > 
> > What I would recommend is not to build and install by hand, but to use
> > their
> > package manager to build a new package with listening enabled. The
> > ./configure
> > script takes a --disable-listener parameter. So, its probably as simple as
> > deleting that in the source package and rebuilding.
> > 
> > That said, I have no idea how to build a package on Debian or Ubuntu.
> > 
> > -Steve

Re: Audisp-remote - connection refused.

[Rituraj Buddhisagar]

[-- Attachment #1.1: Type: text/plain, Size: 3987 bytes --]

HI Steve,

I did the necessary,
Change in auditd.conf - log_format to ENRICHED.
write_logs set to "no" on client and "yes" on aggregating server.
name_format was already set in auditd.conf and not in audispd.conf on both
the servers.

I still do not see any logs coming in /var/log/audit/audit.log on
aggregating server.

Any debugging tools to see the queue of audisp-remote? The spool file
/var/spool/audit/remote.log is not having entries populated (btw I had to
create it manually).

Thanks!




On Wed, Oct 4, 2017 at 8:49 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Wednesday, October 4, 2017 10:01:49 AM EDT Rituraj Buddhisagar wrote:
> > Hi Steve / List
> >
> > Now, I have built auditd from source as per the mail thread and then also
> > created a startup script.
> >
> > The auditd is starting successfully.
> >
> > The client is able to connect to the aggregating server.
> >
> >
> > *node=guslogs type=DAEMON_ACCEPT msg=audit(1507125123.240:7272):
> > addr=192.168.103.2 port=60 res=success*
> >
> >
> > I have made the necessary change in the server in /etc/audit/auditd.conf
> >
> > *log_format = NOLOG*
>
> This is a deprecated option tells it to not write anything to disk.
>
> > I do not see any logs being populated - I checked log file on client, the
> > server - also the /var/spool/audit/remote.log on the client.
> > On the server side /var/spool/audit/remote.log is empty (I am not sure if
> > this is something I should be checking at all)
> >
> > I am clueless as to what is happening. Is there some way to debug this?
>
> Did you modify auditd.conf to have the format be nolog? If so, its an
> explained condition. Nolog means no logging to disk.
>
> > Where are these logs getting lost?
> > When change the log_format back to RAW I do see the logs getting created
> on
> > the client.
>
> For remote logging, you should set the format to enriched. This resolves
> things locally so that the aggregating server can make sense of it later.
> If
> you do not want events written to disk on the remote system, set
> write_logs =
> no. You should also set name_format = hostname (or something else) in
> auditd.conf of the remote systems. This is so you can tell who is creating
> the
> events in the aggregating server.
>
> On the aggregating server, also set the format to enriched. But there you
> have
> to have write_logs = yes. Also set name_format = hostname in auditd.conf of
> the server.
>
> I would not recommend setting the name in audispd.conf for any system.
>
> -Steve
>
> > I did my best reading on net and debugging this - but no success. Please
> > help.
> >
> > On Wed, Oct 4, 2017 at 1:52 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > > On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote:
> > > > Steve,
> > > >
> > > > Here is the relevant discussion on disabling the tcp listener on
> Ubuntu.
> > > > https://www.redhat.com/archives/linux-audit/2012-
> September/msg00027.html
> > > >
> > > > I do not know what exactly caused change - but now I think it should
> be
> > > > enabled in distributions.
> > > >
> > > > Please let me know.
> > > >
> > > > Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from
> > >
> > > source
> > >
> > > > now. Still audispd is not started now - what is the way / sequence to
> > >
> > > start
> > >
> > > > auditd and audispd - if you can point me to some reference or a
> startup
> > > > script will help.
> > >
> > > Since you installed in a non-standard location, you probably need to
> > > adjust
> > > paths in the config files.
> > >
> > > What I would recommend is not to build and install by hand, but to use
> > > their
> > > package manager to build a new package with listening enabled. The
> > > ./configure
> > > script takes a --disable-listener parameter. So, its probably as
> simple as
> > > deleting that in the source package and rebuilding.
> > >
> > > That said, I have no idea how to build a package on Debian or Ubuntu.
> > >
> > > -Steve
>
>
>

[-- Attachment #1.2: Type: text/html, Size: 6990 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Audisp-remote - connection refused.

[Steve Grubb]

On Wednesday, October 4, 2017 12:02:06 PM EDT Rituraj Buddhisagar wrote:
> HI Steve,
> 
> I did the necessary,
> Change in auditd.conf - log_format to ENRICHED.
> write_logs set to "no" on client and "yes" on aggregating server.
> name_format was already set in auditd.conf and not in audispd.conf on both
> the servers.
> 
> I still do not see any logs coming in /var/log/audit/audit.log on
> aggregating server.

You can run auditd -f on both systems to see on screen what is happening. Then 
on the remote, auditctl -m test. You should see it on the remote screen 
followed by the server screen. If you do, then something is wrong with your 
config file paths.

If you don't see events, I think you have some troubleshooting of your own to 
do. I can't see your system so you'll have to figure it out. I also updated 
the INSTALL file in github to better reflect how to build and install it from 
scratch.

> Any debugging tools to see the queue of audisp-remote? The spool file
> /var/spool/audit/remote.log is not having entries populated (btw I had to
> create it manually).

It only uses a spool file if the mode is forward. Immediate mode does not use 
it.

> On Wed, Oct 4, 2017 at 8:49 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Wednesday, October 4, 2017 10:01:49 AM EDT Rituraj Buddhisagar wrote:
> > > Hi Steve / List
> > > 
> > > Now, I have built auditd from source as per the mail thread and then
> > > also
> > > created a startup script.
> > > 
> > > The auditd is starting successfully.
> > > 
> > > The client is able to connect to the aggregating server.
> > > 
> > > 
> > > *node=guslogs type=DAEMON_ACCEPT msg=audit(1507125123.240:7272):
> > > addr=192.168.103.2 port=60 res=success*
> > > 
> > > 
> > > I have made the necessary change in the server in /etc/audit/auditd.conf
> > > 
> > > *log_format = NOLOG*
> > 
> > This is a deprecated option tells it to not write anything to disk.
> > 
> > > I do not see any logs being populated - I checked log file on client,
> > > the
> > > server - also the /var/spool/audit/remote.log on the client.
> > > On the server side /var/spool/audit/remote.log is empty (I am not sure
> > > if
> > > this is something I should be checking at all)
> > > 
> > > I am clueless as to what is happening. Is there some way to debug this?
> > 
> > Did you modify auditd.conf to have the format be nolog? If so, its an
> > explained condition. Nolog means no logging to disk.
> > 
> > > Where are these logs getting lost?
> > > When change the log_format back to RAW I do see the logs getting created
> > 
> > on
> > 
> > > the client.
> > 
> > For remote logging, you should set the format to enriched. This resolves
> > things locally so that the aggregating server can make sense of it later.
> > If
> > you do not want events written to disk on the remote system, set
> > write_logs =
> > no. You should also set name_format = hostname (or something else) in
> > auditd.conf of the remote systems. This is so you can tell who is creating
> > the
> > events in the aggregating server.
> > 
> > On the aggregating server, also set the format to enriched. But there you
> > have
> > to have write_logs = yes. Also set name_format = hostname in auditd.conf
> > of
> > the server.
> > 
> > I would not recommend setting the name in audispd.conf for any system.
> > 
> > -Steve
> > 
> > > I did my best reading on net and debugging this - but no success. Please
> > > help.
> > > 
> > > On Wed, Oct 4, 2017 at 1:52 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > > > On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote:
> > > > > Steve,
> > > > > 
> > > > > Here is the relevant discussion on disabling the tcp listener on
> > 
> > Ubuntu.
> > 
> > > > > https://www.redhat.com/archives/linux-audit/2012-> > 
> > September/msg00027.html
> > 
> > > > > I do not know what exactly caused change - but now I think it should
> > 
> > be
> > 
> > > > > enabled in distributions.
> > > > > 
> > > > > Please let me know.
> > > > > 
> > > > > Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from
> > > > 
> > > > source
> > > > 
> > > > > now. Still audispd is not started now - what is the way / sequence
> > > > > to
> > > > 
> > > > start
> > > > 
> > > > > auditd and audispd - if you can point me to some reference or a
> > 
> > startup
> > 
> > > > > script will help.
> > > > 
> > > > Since you installed in a non-standard location, you probably need to
> > > > adjust
> > > > paths in the config files.
> > > > 
> > > > What I would recommend is not to build and install by hand, but to use
> > > > their
> > > > package manager to build a new package with listening enabled. The
> > > > ./configure
> > > > script takes a --disable-listener parameter. So, its probably as
> > 
> > simple as
> > 
> > > > deleting that in the source package and rebuilding.
> > > > 
> > > > That said, I have no idea how to build a package on Debian or Ubuntu.
> > > > 
> > > > -Steve