* Audisp-remote - connection refused. @ 2017-10-02 18:55 Rituraj Buddhisagar 2017-10-02 19:51 ` Rituraj Buddhisagar 2017-10-02 21:58 ` Steve Grubb 0 siblings, 2 replies; 16+ messages in thread From: Rituraj Buddhisagar @ 2017-10-02 18:55 UTC (permalink / raw) To: Steve Grubb, linux-audit [-- Attachment #1.1: Type: text/plain, Size: 1137 bytes --] Hi I tried my best to configure the audisp-remote. I am getting below error on the client machine in /var/log/syslog. Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7: Connection refused 192.168.103.7 is the IP address of the central log server. Notes: My settings are below: on server as well on client: /etc/audisp/audisp-remote remote_server = 192.168.103.7 port = 6999 local_port = 6999 transport = tcp queue_file = /var/spool/audit/remote.log mode = immediate queue_depth = 2048 format = ascii network_retry_time = 100 I have enabled name_format=HOSTNAME only in one place (in /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf entries in auditd.conf: rtcp_listen_port = 6999 tcp_listen_queue = 5 tcp_max_per_addr = 10 tcp_client_ports = 0-65535 tcp_client_max_idle = 0 I see the server is listening on the port 6999 as below but its not accepting client request. root@logs:/etc# lsof -i :6999 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME audisp-re 9091 root 3u IPv4 33671 0t0 TCP 192.168.103.7:6999-> 192.168.103.7:6999 (ESTABLISHED) Best Regards, Rituraj B [-- Attachment #1.2: Type: text/html, Size: 5536 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Audisp-remote - connection refused. 2017-10-02 18:55 Audisp-remote - connection refused Rituraj Buddhisagar @ 2017-10-02 19:51 ` Rituraj Buddhisagar 2017-10-02 21:58 ` Steve Grubb 1 sibling, 0 replies; 16+ messages in thread From: Rituraj Buddhisagar @ 2017-10-02 19:51 UTC (permalink / raw) To: Steve Grubb, linux-audit [-- Attachment #1.1: Type: text/plain, Size: 1688 bytes --] Additional info: I doubt that the daemon is only listening on localhost and not accepting remote. # lsof -i :6999 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME audisp-re 9624 root 3u IPv4 37642 0t0 TCP 192.168.103.7:6999-> 192.168.103.7:6999 (ESTABLISHED) Btw, no iptables is running on the host. Also no tcpwrappers. Regards Best Regards, Rituraj B On Tue, Oct 3, 2017 at 12:25 AM, Rituraj Buddhisagar <rituraj@vayana.com> wrote: > Hi > > I tried my best to configure the audisp-remote. > I am getting below error on the client machine in /var/log/syslog. > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7: > Connection refused > > > 192.168.103.7 is the IP address of the central log server. > > Notes: My settings are below: > > on server as well on client: > /etc/audisp/audisp-remote > > remote_server = 192.168.103.7 > port = 6999 > local_port = 6999 > transport = tcp > queue_file = /var/spool/audit/remote.log > mode = immediate > queue_depth = 2048 > format = ascii > network_retry_time = 100 > > > I have enabled name_format=HOSTNAME only in one place (in > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf > > entries in auditd.conf: > > rtcp_listen_port = 6999 > tcp_listen_queue = 5 > tcp_max_per_addr = 10 > tcp_client_ports = 0-65535 > tcp_client_max_idle = 0 > > > I see the server is listening on the port 6999 as below but its not > accepting client request. > root@logs:/etc# lsof -i :6999 > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > audisp-re 9091 root 3u IPv4 33671 0t0 TCP 192.168.103.7:6999-> > 192.168.103.7:6999 (ESTABLISHED) > > > > Best Regards, > Rituraj B > > [-- Attachment #1.2: Type: text/html, Size: 7845 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Audisp-remote - connection refused. 2017-10-02 18:55 Audisp-remote - connection refused Rituraj Buddhisagar 2017-10-02 19:51 ` Rituraj Buddhisagar @ 2017-10-02 21:58 ` Steve Grubb 2017-10-03 3:31 ` Rituraj Buddhisagar 1 sibling, 1 reply; 16+ messages in thread From: Steve Grubb @ 2017-10-02 21:58 UTC (permalink / raw) To: Rituraj Buddhisagar; +Cc: linux-audit On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote: > Hi > > I tried my best to configure the audisp-remote. > I am getting below error on the client machine in /var/log/syslog. > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7: > Connection refused On the server, what do you get for: ausearch --start recent -m DAEMON_ACCEPT -i The server side records some information about why it did not allow a connection. > 192.168.103.7 is the IP address of the central log server. > > Notes: My settings are below: > > on server as well on client: > /etc/audisp/audisp-remote > > remote_server = 192.168.103.7 > port = 6999 > local_port = 6999 > transport = tcp > queue_file = /var/spool/audit/remote.log > mode = immediate > queue_depth = 2048 > format = ascii > network_retry_time = 100 This is probably not your problem but managed is the normal setting for format. And do you have enable_krb5 set to no? > I have enabled name_format=HOSTNAME only in one place (in > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf > > entries in auditd.conf: > > rtcp_listen_port = 6999 > tcp_listen_queue = 5 > tcp_max_per_addr = 10 > tcp_client_ports = 0-65535 > tcp_client_max_idle = 0 What do you have for use_libwrap and enable_krb5? The ausearcn info from the aggregating server should tell the reason why the connection is rejected. -Steve > I see the server is listening on the port 6999 as below but its not > accepting client request. > root@logs:/etc# lsof -i :6999 > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > audisp-re 9091 root 3u IPv4 33671 0t0 TCP 192.168.103.7:6999-> > 192.168.103.7:6999 (ESTABLISHED) > > > > Best Regards, > Rituraj B ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Audisp-remote - connection refused. 2017-10-02 21:58 ` Steve Grubb @ 2017-10-03 3:31 ` Rituraj Buddhisagar 2017-10-03 12:44 ` Steve Grubb 0 siblings, 1 reply; 16+ messages in thread From: Rituraj Buddhisagar @ 2017-10-03 3:31 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 3658 bytes --] P lease see inline- regards On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com> wrote: > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote: > > Hi > > > > I tried my best to configure the audisp-remote. > > I am getting below error on the client machine in /var/log/syslog. > > > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7: > > Connection refused > > > On the server, what do you get for: > > ausearch --start recent -m DAEMON_ACCEPT -i > > The server side records some information about why it did not allow a > connection. > > I dont see any info in here. # ausearch --start recent -m DAEMON_ACCEPT -i <no matches> I tried without --start & -i options as well. But when I do a tcpdump on central server, I do see requests coming in. (I changed port to 60). # tcpdump -i eth1 '( port 60 )' 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076269451, win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], length 0 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack 4076269452, win 0, length 0 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076287474, win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], length 0 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack 18024, win 0, length 0 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076300652, win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], length 0 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack 31202, win 0, length 0 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076306151, win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], length 0 I think the service is only listening locally and not for remote connections? root@logs:/etc/audit# lsof -i :60 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME audisp-re 1713 root 3u IPv4 17433 0t0 TCP 192.168.103.7:60-> 192.168.103.7:60 (ESTABLISHED) How do I see that I am using libwrap? I have enable_krb5=no in the auditd.conf on the aggregative server. > > 192.168.103.7 is the IP address of the central log server. > > > > Notes: My settings are below: > > > > on server as well on client: > > /etc/audisp/audisp-remote > > > > remote_server = 192.168.103.7 > > port = 6999 > > local_port = 6999 > > transport = tcp > > queue_file = /var/spool/audit/remote.log > > mode = immediate > > queue_depth = 2048 > > format = ascii > > network_retry_time = 100 > > This is probably not your problem but managed is the normal setting for > format. And do you have enable_krb5 set to no? > > > I have enabled name_format=HOSTNAME only in one place (in > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf > > > > entries in auditd.conf: > > > > rtcp_listen_port = 6999 > > tcp_listen_queue = 5 > > tcp_max_per_addr = 10 > > tcp_client_ports = 0-65535 > > tcp_client_max_idle = 0 > > What do you have for use_libwrap and enable_krb5? > > The ausearcn info from the aggregating server should tell the reason why > the > connection is rejected. > > -Steve > > > I see the server is listening on the port 6999 as below but its not > > accepting client request. > > root@logs:/etc# lsof -i :6999 > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > audisp-re 9091 root 3u IPv4 33671 0t0 TCP 192.168.103.7:6999 > -> > > 192.168.103.7:6999 (ESTABLISHED) > > > > > > > > Best Regards, > > Rituraj B > > > [-- Attachment #1.2: Type: text/html, Size: 8320 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Audisp-remote - connection refused. 2017-10-03 3:31 ` Rituraj Buddhisagar @ 2017-10-03 12:44 ` Steve Grubb 2017-10-03 12:52 ` Rituraj Buddhisagar 0 siblings, 1 reply; 16+ messages in thread From: Steve Grubb @ 2017-10-03 12:44 UTC (permalink / raw) To: Rituraj Buddhisagar; +Cc: linux-audit On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote: > P > lease see inline- > > regards > > > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com> wrote: > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote: > > > Hi > > > > > > I tried my best to configure the audisp-remote. > > > I am getting below error on the client machine in /var/log/syslog. > > > > > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7: > > > Connection refused > > > > On the server, what do you get for: > > > > ausearch --start recent -m DAEMON_ACCEPT -i > > > > The server side records some information about why it did not allow a > > connection. > > I dont see any info in here. > > # ausearch --start recent -m DAEMON_ACCEPT -i > <no matches> Then its not connecting at all. Maybe your firewall is blocking it. Maybe selinux is blocking it? Once auditd sees its socket is readable, it calls accept(2) and there is no path through the code that doesn't log an event with a reason. Every possible failure logs a distinct reason why the connection failed. > I tried without --start & -i options as well. --start today if you didn't connect within 10 minutes of running the command. > But when I do a tcpdump on central server, I do see requests coming in. (I > changed port to 60). > # tcpdump -i eth1 '( port 60 )' > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076269451, > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], > length 0 > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack > 4076269452, win 0, length 0 > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076287474, > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], > length 0 > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack > 18024, win 0, length 0 > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076300652, > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], > length 0 > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack > 31202, win 0, length 0 > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076306151, > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], > length 0 > > I think the service is only listening locally and not for remote > connections? It opens a socket on all addresses. # netstat -tanp | grep auditd tcp 0 0 0.0.0.0:60 0.0.0.0:* LISTEN 893/auditd > root@logs:/etc/audit# lsof -i :60 > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > audisp-re 1713 root 3u IPv4 17433 0t0 TCP 192.168.103.7:60-> > 192.168.103.7:60 (ESTABLISHED) > > > How do I see that I am using libwrap? It should have a config line in auditd.conf. If you do not, it defaults to yes. That means it looks in /etc/hosts.allow and hosts.deny to decide. Odds are you put nothing there and the connection proceeds. If I were to guess, I'd say iptables is blocking your connection. > I have enable_krb5=no in the > auditd.conf on the aggregative server. Good. Cause doing a krb5 connection without setting that up will cause it to fail also. I'd bet on iptables being the problem. -Steve > > > 192.168.103.7 is the IP address of the central log server. > > > > > > Notes: My settings are below: > > > > > > on server as well on client: > > > /etc/audisp/audisp-remote > > > > > > remote_server = 192.168.103.7 > > > port = 6999 > > > local_port = 6999 > > > transport = tcp > > > queue_file = /var/spool/audit/remote.log > > > mode = immediate > > > queue_depth = 2048 > > > format = ascii > > > network_retry_time = 100 > > > > This is probably not your problem but managed is the normal setting for > > format. And do you have enable_krb5 set to no? > > > > > I have enabled name_format=HOSTNAME only in one place (in > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf > > > > > > entries in auditd.conf: > > > > > > rtcp_listen_port = 6999 > > > tcp_listen_queue = 5 > > > tcp_max_per_addr = 10 > > > tcp_client_ports = 0-65535 > > > tcp_client_max_idle = 0 > > > > What do you have for use_libwrap and enable_krb5? > > > > The ausearcn info from the aggregating server should tell the reason why > > the > > connection is rejected. > > > > -Steve > > > > > I see the server is listening on the port 6999 as below but its not > > > accepting client request. > > > root@logs:/etc# lsof -i :6999 > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > > audisp-re 9091 root 3u IPv4 33671 0t0 TCP 192.168.103.7:6999 > > > > -> > > > > > 192.168.103.7:6999 (ESTABLISHED) > > > > > > > > > > > > Best Regards, > > > Rituraj B -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Audisp-remote - connection refused. 2017-10-03 12:44 ` Steve Grubb @ 2017-10-03 12:52 ` Rituraj Buddhisagar 2017-10-03 12:58 ` Rituraj Buddhisagar 2017-10-03 15:08 ` Steve Grubb 0 siblings, 2 replies; 16+ messages in thread From: Rituraj Buddhisagar @ 2017-10-03 12:52 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 7599 bytes --] Hi Steve, I did check IPtables and I am not having any rules in there. I have allowed the connections in /etc/hosts.allow. But then I do not see auditd listening on port 60. It just shows "ESSTABLISHED" connection on the aggregating server - which is itself! root@guslogs:/etc/audit# lsof -i :60 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME audisp-re 2146 root 3u IPv4 20368 0t0 TCP 192.168.103.7:60-> 192.168.103.7:60 (ESTABLISHED) root@guslogs:/etc/audit# root@guslogs:/etc/audit# netstat -pan | grep 60 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1260/sshd tcp 10491 1360 192.168.103.7:60 192.168.103.7:60 ESTABLISHED 2146/audisp-remote tcp6 0 0 :::22 :::* LISTEN 1260/sshd unix 2 [ ACC ] STREAM LISTENING 16055 1925/0 /tmp/ssh-h0brbTMA4a/agent.1925 unix 3 [ ] STREAM CONNECTED 13777 1260/sshd unix 2 [ ] DGRAM 17760 1897/systemd unix 3 [ ] STREAM CONNECTED 16036 1897/systemd unix 2 [ ] DGRAM 20360 2136/auditd unix 3 [ ] STREAM CONNECTED 13260 1/init /run/systemd/journal/stdout root@guslogs:/etc/audit# root@guslogs:/etc/audit# netstat -tanp | grep auditd root@guslogs:/etc/audit# root@guslogs:/etc/audit# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination root@guslogs:/etc/audit# root@guslogs:/etc/audit# cat /etc/hosts.allow # /etc/hosts.allow: list of hosts that are allowed to access the system. # See the manual pages hosts_access(5) and hosts_options(5). # # Example: ALL: LOCAL @some_netgroup # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu # # If you're going to protect the portmapper use the name "rpcbind" for the # daemon name. See rpcbind(8) and rpc.mountd(8) for further information. # ALL: ALL root@guslogs:/etc/audit# Best Regards, Rituraj B On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb <sgrubb@redhat.com> wrote: > On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote: > > P > > lease see inline- > > > > regards > > > > > > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com> wrote: > > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote: > > > > Hi > > > > > > > > I tried my best to configure the audisp-remote. > > > > I am getting below error on the client machine in /var/log/syslog. > > > > > > > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to > 192.168.103.7: > > > > Connection refused > > > > > > On the server, what do you get for: > > > > > > ausearch --start recent -m DAEMON_ACCEPT -i > > > > > > The server side records some information about why it did not allow a > > > connection. > > > > I dont see any info in here. > > > > # ausearch --start recent -m DAEMON_ACCEPT -i > > <no matches> > > Then its not connecting at all. Maybe your firewall is blocking it. Maybe > selinux is blocking it? Once auditd sees its socket is readable, it calls > accept(2) and there is no path through the code that doesn't log an event > with > a reason. Every possible failure logs a distinct reason why the connection > failed. > > > > I tried without --start & -i options as well. > > --start today if you didn't connect within 10 minutes of running the > command. > > > > But when I do a tcpdump on central server, I do see requests coming in. > (I > > changed port to 60). > > # tcpdump -i eth1 '( port 60 )' > > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > 4076269451, > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], > > length 0 > > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack > > 4076269452, win 0, length 0 > > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > 4076287474, > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], > > length 0 > > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack > > 18024, win 0, length 0 > > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > 4076300652, > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], > > length 0 > > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack > > 31202, win 0, length 0 > > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > 4076306151, > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], > > length 0 > > > > I think the service is only listening locally and not for remote > > connections? > > It opens a socket on all addresses. > # netstat -tanp | grep auditd > tcp 0 0 0.0.0.0:60 0.0.0.0:* LISTEN > 893/auditd > > > root@logs:/etc/audit# lsof -i :60 > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > audisp-re 1713 root 3u IPv4 17433 0t0 TCP 192.168.103.7:60-> > > 192.168.103.7:60 (ESTABLISHED) > > > > > > How do I see that I am using libwrap? > > It should have a config line in auditd.conf. If you do not, it defaults to > yes. That means it looks in /etc/hosts.allow and hosts.deny to decide. Odds > are you put nothing there and the connection proceeds. If I were to guess, > I'd > say iptables is blocking your connection. > > > I have enable_krb5=no in the > > auditd.conf on the aggregative server. > > Good. Cause doing a krb5 connection without setting that up will cause it > to > fail also. I'd bet on iptables being the problem. > > -Steve > > > > > > 192.168.103.7 is the IP address of the central log server. > > > > > > > > Notes: My settings are below: > > > > > > > > on server as well on client: > > > > /etc/audisp/audisp-remote > > > > > > > > remote_server = 192.168.103.7 > > > > port = 6999 > > > > local_port = 6999 > > > > transport = tcp > > > > queue_file = /var/spool/audit/remote.log > > > > mode = immediate > > > > queue_depth = 2048 > > > > format = ascii > > > > network_retry_time = 100 > > > > > > This is probably not your problem but managed is the normal setting for > > > format. And do you have enable_krb5 set to no? > > > > > > > I have enabled name_format=HOSTNAME only in one place (in > > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf > > > > > > > > entries in auditd.conf: > > > > > > > > rtcp_listen_port = 6999 > > > > tcp_listen_queue = 5 > > > > tcp_max_per_addr = 10 > > > > tcp_client_ports = 0-65535 > > > > tcp_client_max_idle = 0 > > > > > > What do you have for use_libwrap and enable_krb5? > > > > > > The ausearcn info from the aggregating server should tell the reason > why > > > the > > > connection is rejected. > > > > > > -Steve > > > > > > > I see the server is listening on the port 6999 as below but its not > > > > accepting client request. > > > > root@logs:/etc# lsof -i :6999 > > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > > > audisp-re 9091 root 3u IPv4 33671 0t0 TCP > 192.168.103.7:6999 > > > > > > -> > > > > > > > 192.168.103.7:6999 (ESTABLISHED) > > > > > > > > > > > > > > > > Best Regards, > > > > Rituraj B > > > [-- Attachment #1.2: Type: text/html, Size: 15273 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Audisp-remote - connection refused. 2017-10-03 12:52 ` Rituraj Buddhisagar @ 2017-10-03 12:58 ` Rituraj Buddhisagar 2017-10-03 15:08 ` Steve Grubb 1 sibling, 0 replies; 16+ messages in thread From: Rituraj Buddhisagar @ 2017-10-03 12:58 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 9884 bytes --] Steve, I should have attached my config in previous mail: Here is the config on the aggregating server. (I see tcp_listen_port in auditd.conf and then there is mention of local port & port in audisp-remote.conf as well) I do not see auditd listening on port 60 as per my previous mail. (netstat output) root@guslogs:/etc/audit# cat auditd.conf # # This file controls the configuration of the audit daemon # log_file = /var/log/audit/audit.log log_format = RAW log_group = root priority_boost = 4 flush = INCREMENTAL freq = 20 num_logs = 5 disp_qos = lossy dispatcher = /sbin/audispd name_format = NONE ##name = mydomain max_log_file = 6 max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND tcp_listen_port = 60 tcp_listen_queue = 5 tcp_max_per_addr = 10 tcp_client_ports = 0-65535 tcp_client_max_idle = 0 enable_krb5 = no krb5_principal = auditd use_libwrap = no ##krb5_key_file = /etc/audit/audit.key root@guslogs:/etc/audit# cat ../audisp/audisp-remote.conf # # This file controls the configuration of the audit remote # logging subsystem, audisp-remote. # remote_server = 192.168.103.7 port = 60 local_port = 60 transport = tcp queue_file = /var/spool/audit/remote.log mode = immediate queue_depth = 2048 format = ascii network_retry_time = 100 max_tries_per_record = 3 max_time_per_record = 5 heartbeat_timeout = 0 network_failure_action = stop disk_low_action = ignore disk_full_action = ignore disk_error_action = syslog remote_ending_action = reconnect generic_error_action = syslog generic_warning_action = syslog overflow_action = syslog ##enable_krb5 = no ##krb5_principal = ##krb5_client_name = auditd ##krb5_key_file = /etc/audisp/audisp-remote.key Best Regards, Rituraj B On Tue, Oct 3, 2017 at 6:22 PM, Rituraj Buddhisagar <rituraj@vayana.com> wrote: > Hi Steve, > > I did check IPtables and I am not having any rules in there. I have > allowed the connections in /etc/hosts.allow. But then I do not see auditd > listening on port 60. > It just shows "ESSTABLISHED" connection on the aggregating server - which > is itself! > > root@guslogs:/etc/audit# lsof -i :60 > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > audisp-re 2146 root 3u IPv4 20368 0t0 TCP 192.168.103.7:60-> > 192.168.103.7:60 (ESTABLISHED) > root@guslogs:/etc/audit# > root@guslogs:/etc/audit# netstat -pan | grep 60 > tcp 0 0 0.0.0.0:22 0.0.0.0:* > LISTEN 1260/sshd > tcp 10491 1360 192.168.103.7:60 192.168.103.7:60 > ESTABLISHED 2146/audisp-remote > tcp6 0 0 :::22 :::* LISTEN > 1260/sshd > unix 2 [ ACC ] STREAM LISTENING 16055 1925/0 > /tmp/ssh-h0brbTMA4a/agent.1925 > unix 3 [ ] STREAM CONNECTED 13777 1260/sshd > > unix 2 [ ] DGRAM 17760 1897/systemd > > unix 3 [ ] STREAM CONNECTED 16036 1897/systemd > > unix 2 [ ] DGRAM 20360 2136/auditd > > unix 3 [ ] STREAM CONNECTED 13260 1/init > /run/systemd/journal/stdout > root@guslogs:/etc/audit# > root@guslogs:/etc/audit# netstat -tanp | grep auditd > root@guslogs:/etc/audit# > root@guslogs:/etc/audit# iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > root@guslogs:/etc/audit# > root@guslogs:/etc/audit# cat /etc/hosts.allow > # /etc/hosts.allow: list of hosts that are allowed to access the system. > # See the manual pages hosts_access(5) and > hosts_options(5). > # > # Example: ALL: LOCAL @some_netgroup > # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu > # > # If you're going to protect the portmapper use the name "rpcbind" for the > # daemon name. See rpcbind(8) and rpc.mountd(8) for further information. > # > > ALL: ALL > root@guslogs:/etc/audit# > > > Best Regards, > Rituraj B > > > On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb <sgrubb@redhat.com> wrote: > >> On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote: >> > P >> > lease see inline- >> > >> > regards >> > >> > >> > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com> wrote: >> > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote: >> > > > Hi >> > > > >> > > > I tried my best to configure the audisp-remote. >> > > > I am getting below error on the client machine in /var/log/syslog. >> > > > >> > > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to >> 192.168.103.7: >> > > > Connection refused >> > > >> > > On the server, what do you get for: >> > > >> > > ausearch --start recent -m DAEMON_ACCEPT -i >> > > >> > > The server side records some information about why it did not allow a >> > > connection. >> > >> > I dont see any info in here. >> > >> > # ausearch --start recent -m DAEMON_ACCEPT -i >> > <no matches> >> >> Then its not connecting at all. Maybe your firewall is blocking it. Maybe >> selinux is blocking it? Once auditd sees its socket is readable, it calls >> accept(2) and there is no path through the code that doesn't log an event >> with >> a reason. Every possible failure logs a distinct reason why the connection >> failed. >> >> >> > I tried without --start & -i options as well. >> >> --start today if you didn't connect within 10 minutes of running the >> command. >> >> >> > But when I do a tcpdump on central server, I do see requests coming in. >> (I >> > changed port to 60). >> > # tcpdump -i eth1 '( port 60 )' >> > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >> 4076269451, >> > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], >> > length 0 >> > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack >> > 4076269452, win 0, length 0 >> > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >> 4076287474, >> > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], >> > length 0 >> > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack >> > 18024, win 0, length 0 >> > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >> 4076300652, >> > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], >> > length 0 >> > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack >> > 31202, win 0, length 0 >> > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >> 4076306151, >> > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], >> > length 0 >> > >> > I think the service is only listening locally and not for remote >> > connections? >> >> It opens a socket on all addresses. >> # netstat -tanp | grep auditd >> tcp 0 0 0.0.0.0:60 0.0.0.0:* >> LISTEN >> 893/auditd >> >> > root@logs:/etc/audit# lsof -i :60 >> > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >> > audisp-re 1713 root 3u IPv4 17433 0t0 TCP 192.168.103.7:60-> >> > 192.168.103.7:60 (ESTABLISHED) >> > >> > >> > How do I see that I am using libwrap? >> >> It should have a config line in auditd.conf. If you do not, it defaults to >> yes. That means it looks in /etc/hosts.allow and hosts.deny to decide. >> Odds >> are you put nothing there and the connection proceeds. If I were to >> guess, I'd >> say iptables is blocking your connection. >> >> > I have enable_krb5=no in the >> > auditd.conf on the aggregative server. >> >> Good. Cause doing a krb5 connection without setting that up will cause it >> to >> fail also. I'd bet on iptables being the problem. >> >> -Steve >> >> >> > > > 192.168.103.7 is the IP address of the central log server. >> > > > >> > > > Notes: My settings are below: >> > > > >> > > > on server as well on client: >> > > > /etc/audisp/audisp-remote >> > > > >> > > > remote_server = 192.168.103.7 >> > > > port = 6999 >> > > > local_port = 6999 >> > > > transport = tcp >> > > > queue_file = /var/spool/audit/remote.log >> > > > mode = immediate >> > > > queue_depth = 2048 >> > > > format = ascii >> > > > network_retry_time = 100 >> > > >> > > This is probably not your problem but managed is the normal setting >> for >> > > format. And do you have enable_krb5 set to no? >> > > >> > > > I have enabled name_format=HOSTNAME only in one place (in >> > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf >> > > > >> > > > entries in auditd.conf: >> > > > >> > > > rtcp_listen_port = 6999 >> > > > tcp_listen_queue = 5 >> > > > tcp_max_per_addr = 10 >> > > > tcp_client_ports = 0-65535 >> > > > tcp_client_max_idle = 0 >> > > >> > > What do you have for use_libwrap and enable_krb5? >> > > >> > > The ausearcn info from the aggregating server should tell the reason >> why >> > > the >> > > connection is rejected. >> > > >> > > -Steve >> > > >> > > > I see the server is listening on the port 6999 as below but its not >> > > > accepting client request. >> > > > root@logs:/etc# lsof -i :6999 >> > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >> > > > audisp-re 9091 root 3u IPv4 33671 0t0 TCP >> 192.168.103.7:6999 >> > > >> > > -> >> > > >> > > > 192.168.103.7:6999 (ESTABLISHED) >> > > > >> > > > >> > > > >> > > > Best Regards, >> > > > Rituraj B >> >> >> > [-- Attachment #1.2: Type: text/html, Size: 23997 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Audisp-remote - connection refused. 2017-10-03 12:52 ` Rituraj Buddhisagar 2017-10-03 12:58 ` Rituraj Buddhisagar @ 2017-10-03 15:08 ` Steve Grubb 2017-10-03 18:40 ` Rituraj Buddhisagar 1 sibling, 1 reply; 16+ messages in thread From: Steve Grubb @ 2017-10-03 15:08 UTC (permalink / raw) To: Rituraj Buddhisagar; +Cc: linux-audit On Tuesday, October 3, 2017 8:52:48 AM EDT Rituraj Buddhisagar wrote: > Hi Steve, > > I did check IPtables and I am not having any rules in there. I have allowed > the connections in /etc/hosts.allow. But then I do not see auditd listening > on port 60. > It just shows "ESSTABLISHED" connection on the aggregating server - which > is itself! You should not enable audisp-remote on the aggregating server. Auditd handles incoming connections itself. -Steve > root@guslogs:/etc/audit# lsof -i :60 > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > audisp-re 2146 root 3u IPv4 20368 0t0 TCP 192.168.103.7:60-> > 192.168.103.7:60 (ESTABLISHED) > root@guslogs:/etc/audit# > root@guslogs:/etc/audit# netstat -pan | grep 60 > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN > 1260/sshd > tcp 10491 1360 192.168.103.7:60 192.168.103.7:60 > ESTABLISHED 2146/audisp-remote > tcp6 0 0 :::22 :::* LISTEN > 1260/sshd > unix 2 [ ACC ] STREAM LISTENING 16055 1925/0 > /tmp/ssh-h0brbTMA4a/agent.1925 > unix 3 [ ] STREAM CONNECTED 13777 1260/sshd > > unix 2 [ ] DGRAM 17760 1897/systemd > > unix 3 [ ] STREAM CONNECTED 16036 1897/systemd > > unix 2 [ ] DGRAM 20360 2136/auditd > > unix 3 [ ] STREAM CONNECTED 13260 1/init > /run/systemd/journal/stdout > root@guslogs:/etc/audit# > root@guslogs:/etc/audit# netstat -tanp | grep auditd > root@guslogs:/etc/audit# > root@guslogs:/etc/audit# iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > root@guslogs:/etc/audit# > root@guslogs:/etc/audit# cat /etc/hosts.allow > # /etc/hosts.allow: list of hosts that are allowed to access the system. > # See the manual pages hosts_access(5) and > hosts_options(5). > # > # Example: ALL: LOCAL @some_netgroup > # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu > # > # If you're going to protect the portmapper use the name "rpcbind" for the > # daemon name. See rpcbind(8) and rpc.mountd(8) for further information. > # > > ALL: ALL > root@guslogs:/etc/audit# > > > Best Regards, > Rituraj B > > On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb <sgrubb@redhat.com> wrote: > > On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote: > > > P > > > lease see inline- > > > > > > regards > > > > > > > > > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com> wrote: > > > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote: > > > > > Hi > > > > > > > > > > I tried my best to configure the audisp-remote. > > > > > I am getting below error on the client machine in /var/log/syslog. > > > > > > > > > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to > > > > 192.168.103.7: > > > > > Connection refused > > > > > > > > On the server, what do you get for: > > > > > > > > ausearch --start recent -m DAEMON_ACCEPT -i > > > > > > > > The server side records some information about why it did not allow a > > > > connection. > > > > > > I dont see any info in here. > > > > > > # ausearch --start recent -m DAEMON_ACCEPT -i > > > <no matches> > > > > Then its not connecting at all. Maybe your firewall is blocking it. Maybe > > selinux is blocking it? Once auditd sees its socket is readable, it calls > > accept(2) and there is no path through the code that doesn't log an event > > with > > a reason. Every possible failure logs a distinct reason why the connection > > failed. > > > > > I tried without --start & -i options as well. > > > > --start today if you didn't connect within 10 minutes of running the > > command. > > > > > But when I do a tcpdump on central server, I do see requests coming in. > > > > (I > > > > > changed port to 60). > > > # tcpdump -i eth1 '( port 60 )' > > > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > > > > 4076269451, > > > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], > > > length 0 > > > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack > > > 4076269452, win 0, length 0 > > > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > > > > 4076287474, > > > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], > > > length 0 > > > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack > > > 18024, win 0, length 0 > > > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > > > > 4076300652, > > > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], > > > length 0 > > > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack > > > 31202, win 0, length 0 > > > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > > > > 4076306151, > > > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], > > > length 0 > > > > > > I think the service is only listening locally and not for remote > > > connections? > > > > It opens a socket on all addresses. > > # netstat -tanp | grep auditd > > tcp 0 0 0.0.0.0:60 0.0.0.0:* LISTEN > > 893/auditd > > > > > root@logs:/etc/audit# lsof -i :60 > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > > audisp-re 1713 root 3u IPv4 17433 0t0 TCP 192.168.103.7:60-> > > > 192.168.103.7:60 (ESTABLISHED) > > > > > > > > > How do I see that I am using libwrap? > > > > It should have a config line in auditd.conf. If you do not, it defaults to > > yes. That means it looks in /etc/hosts.allow and hosts.deny to decide. > > Odds > > are you put nothing there and the connection proceeds. If I were to guess, > > I'd > > say iptables is blocking your connection. > > > > > I have enable_krb5=no in the > > > auditd.conf on the aggregative server. > > > > Good. Cause doing a krb5 connection without setting that up will cause it > > to > > fail also. I'd bet on iptables being the problem. > > > > -Steve > > > > > > > 192.168.103.7 is the IP address of the central log server. > > > > > > > > > > Notes: My settings are below: > > > > > > > > > > on server as well on client: > > > > > /etc/audisp/audisp-remote > > > > > > > > > > remote_server = 192.168.103.7 > > > > > port = 6999 > > > > > local_port = 6999 > > > > > transport = tcp > > > > > queue_file = /var/spool/audit/remote.log > > > > > mode = immediate > > > > > queue_depth = 2048 > > > > > format = ascii > > > > > network_retry_time = 100 > > > > > > > > This is probably not your problem but managed is the normal setting > > > > for > > > > format. And do you have enable_krb5 set to no? > > > > > > > > > I have enabled name_format=HOSTNAME only in one place (in > > > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf > > > > > > > > > > entries in auditd.conf: > > > > > > > > > > rtcp_listen_port = 6999 > > > > > tcp_listen_queue = 5 > > > > > tcp_max_per_addr = 10 > > > > > tcp_client_ports = 0-65535 > > > > > tcp_client_max_idle = 0 > > > > > > > > What do you have for use_libwrap and enable_krb5? > > > > > > > > The ausearcn info from the aggregating server should tell the reason > > > > why > > > > > > the > > > > connection is rejected. > > > > > > > > -Steve > > > > > > > > > I see the server is listening on the port 6999 as below but its not > > > > > accepting client request. > > > > > root@logs:/etc# lsof -i :6999 > > > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > > > > audisp-re 9091 root 3u IPv4 33671 0t0 TCP > > > > 192.168.103.7:6999 > > > > > > -> > > > > > > > > > 192.168.103.7:6999 (ESTABLISHED) > > > > > > > > > > > > > > > > > > > > Best Regards, > > > > > Rituraj B -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Audisp-remote - connection refused. 2017-10-03 15:08 ` Steve Grubb @ 2017-10-03 18:40 ` Rituraj Buddhisagar 2017-10-03 19:08 ` Rituraj Buddhisagar 0 siblings, 1 reply; 16+ messages in thread From: Rituraj Buddhisagar @ 2017-10-03 18:40 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 10945 bytes --] Hi Steve / Audit List ; I have this issue because Ubuntu has disabled support for listener in their distribution !! On a blog I found that Debian has not disabled it but the Ubuntu distribution has. I found this when I ran auditd in foreground with -f option. Listener support is not enabled, ignoring value at line 25 tcp_listen_queue_parser called with: 5 Listener support is not enabled, ignoring value at line 26 tcp_max_per_addr_parser called with: 1 Listener support is not enabled, ignoring value at line 27 tcp_listen_queue_parser called with: 1024-65535 Listener support is not enabled, ignoring value at line 28 tcp_client_max_idle_parser called with: 0 Steve, I then went to source site ( https://people.redhat.com/sgrubb/audit/ ) and downloaded a zip from there. I am doing a install using below config command : it fails with python-packages dependency. ./configure --prefix=/usr/local --sbindir=/usr/local/sbin --with-python=yes --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes ............ ............. ............. checking for python platform... linux2 checking for python script directory... ${prefix}/lib/python2.7/dist-packages checking for python extension module directory... ${exec_prefix}/lib/python2.7/dist-packages configure: error: Python explicitly requested and python headers were not found root@guslogs:/usr/src/audit-2.7.8# Please can you tell me which dependent packages I need to download and configure apart from python? (with a source link would help). I see on the site that you have included - "Improved Remote Logging" in the Roadmap :) Appreciate it and anticipating it ! In the meanwhile I am also thinking of requesting Ubuntu for adding this support - not sure why they did this, what is their logic behind this. I hereby request if you can do something from your end to discuss with Ubuntu maintenars to enable this - as there is a HUGE Linux support base out there using that distro. Thanks! Best Regards, Rituraj B On Tue, Oct 3, 2017 at 8:38 PM, Steve Grubb <sgrubb@redhat.com> wrote: > On Tuesday, October 3, 2017 8:52:48 AM EDT Rituraj Buddhisagar wrote: > > Hi Steve, > > > > I did check IPtables and I am not having any rules in there. I have > allowed > > the connections in /etc/hosts.allow. But then I do not see auditd > listening > > on port 60. > > It just shows "ESSTABLISHED" connection on the aggregating server - which > > is itself! > > You should not enable audisp-remote on the aggregating server. Auditd > handles > incoming connections itself. > > -Steve > > > root@guslogs:/etc/audit# lsof -i :60 > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > audisp-re 2146 root 3u IPv4 20368 0t0 TCP 192.168.103.7:60-> > > 192.168.103.7:60 (ESTABLISHED) > > root@guslogs:/etc/audit# > > root@guslogs:/etc/audit# netstat -pan | grep 60 > > tcp 0 0 0.0.0.0:22 0.0.0.0:* > LISTEN > > 1260/sshd > > tcp 10491 1360 192.168.103.7:60 192.168.103.7:60 > > ESTABLISHED 2146/audisp-remote > > tcp6 0 0 :::22 :::* > LISTEN > > 1260/sshd > > unix 2 [ ACC ] STREAM LISTENING 16055 1925/0 > > /tmp/ssh-h0brbTMA4a/agent.1925 > > unix 3 [ ] STREAM CONNECTED 13777 1260/sshd > > > > unix 2 [ ] DGRAM 17760 1897/systemd > > > > unix 3 [ ] STREAM CONNECTED 16036 1897/systemd > > > > unix 2 [ ] DGRAM 20360 2136/auditd > > > > unix 3 [ ] STREAM CONNECTED 13260 1/init > > /run/systemd/journal/stdout > > root@guslogs:/etc/audit# > > root@guslogs:/etc/audit# netstat -tanp | grep auditd > > root@guslogs:/etc/audit# > > root@guslogs:/etc/audit# iptables -L > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > root@guslogs:/etc/audit# > > root@guslogs:/etc/audit# cat /etc/hosts.allow > > # /etc/hosts.allow: list of hosts that are allowed to access the system. > > # See the manual pages hosts_access(5) and > > hosts_options(5). > > # > > # Example: ALL: LOCAL @some_netgroup > > # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu > > # > > # If you're going to protect the portmapper use the name "rpcbind" for > the > > # daemon name. See rpcbind(8) and rpc.mountd(8) for further information. > > # > > > > ALL: ALL > > root@guslogs:/etc/audit# > > > > > > Best Regards, > > Rituraj B > > > > On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb <sgrubb@redhat.com> wrote: > > > On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote: > > > > P > > > > lease see inline- > > > > > > > > regards > > > > > > > > > > > > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com> > wrote: > > > > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar > wrote: > > > > > > Hi > > > > > > > > > > > > I tried my best to configure the audisp-remote. > > > > > > I am getting below error on the client machine in > /var/log/syslog. > > > > > > > > > > > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to > > > > > > 192.168.103.7: > > > > > > Connection refused > > > > > > > > > > On the server, what do you get for: > > > > > > > > > > ausearch --start recent -m DAEMON_ACCEPT -i > > > > > > > > > > The server side records some information about why it did not > allow a > > > > > connection. > > > > > > > > I dont see any info in here. > > > > > > > > # ausearch --start recent -m DAEMON_ACCEPT -i > > > > <no matches> > > > > > > Then its not connecting at all. Maybe your firewall is blocking it. > Maybe > > > selinux is blocking it? Once auditd sees its socket is readable, it > calls > > > accept(2) and there is no path through the code that doesn't log an > event > > > with > > > a reason. Every possible failure logs a distinct reason why the > connection > > > failed. > > > > > > > I tried without --start & -i options as well. > > > > > > --start today if you didn't connect within 10 minutes of running the > > > command. > > > > > > > But when I do a tcpdump on central server, I do see requests coming > in. > > > > > > (I > > > > > > > changed port to 60). > > > > # tcpdump -i eth1 '( port 60 )' > > > > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > > > > > > 4076269451, > > > > > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale > 7], > > > > length 0 > > > > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, > ack > > > > 4076269452, win 0, length 0 > > > > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > > > > > > 4076287474, > > > > > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale > 7], > > > > length 0 > > > > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, > ack > > > > 18024, win 0, length 0 > > > > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > > > > > > 4076300652, > > > > > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale > 7], > > > > length 0 > > > > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, > ack > > > > 31202, win 0, length 0 > > > > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > > > > > > 4076306151, > > > > > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale > 7], > > > > length 0 > > > > > > > > I think the service is only listening locally and not for remote > > > > connections? > > > > > > It opens a socket on all addresses. > > > # netstat -tanp | grep auditd > > > tcp 0 0 0.0.0.0:60 0.0.0.0:* > LISTEN > > > 893/auditd > > > > > > > root@logs:/etc/audit# lsof -i :60 > > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > > > audisp-re 1713 root 3u IPv4 17433 0t0 TCP 192.168.103.7:60 > -> > > > > 192.168.103.7:60 (ESTABLISHED) > > > > > > > > > > > > How do I see that I am using libwrap? > > > > > > It should have a config line in auditd.conf. If you do not, it > defaults to > > > yes. That means it looks in /etc/hosts.allow and hosts.deny to decide. > > > Odds > > > are you put nothing there and the connection proceeds. If I were to > guess, > > > I'd > > > say iptables is blocking your connection. > > > > > > > I have enable_krb5=no in the > > > > auditd.conf on the aggregative server. > > > > > > Good. Cause doing a krb5 connection without setting that up will cause > it > > > to > > > fail also. I'd bet on iptables being the problem. > > > > > > -Steve > > > > > > > > > 192.168.103.7 is the IP address of the central log server. > > > > > > > > > > > > Notes: My settings are below: > > > > > > > > > > > > on server as well on client: > > > > > > /etc/audisp/audisp-remote > > > > > > > > > > > > remote_server = 192.168.103.7 > > > > > > port = 6999 > > > > > > local_port = 6999 > > > > > > transport = tcp > > > > > > queue_file = /var/spool/audit/remote.log > > > > > > mode = immediate > > > > > > queue_depth = 2048 > > > > > > format = ascii > > > > > > network_retry_time = 100 > > > > > > > > > > This is probably not your problem but managed is the normal setting > > > > > for > > > > > format. And do you have enable_krb5 set to no? > > > > > > > > > > > I have enabled name_format=HOSTNAME only in one place (in > > > > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf > > > > > > > > > > > > entries in auditd.conf: > > > > > > > > > > > > rtcp_listen_port = 6999 > > > > > > tcp_listen_queue = 5 > > > > > > tcp_max_per_addr = 10 > > > > > > tcp_client_ports = 0-65535 > > > > > > tcp_client_max_idle = 0 > > > > > > > > > > What do you have for use_libwrap and enable_krb5? > > > > > > > > > > The ausearcn info from the aggregating server should tell the > reason > > > > > > why > > > > > > > > the > > > > > connection is rejected. > > > > > > > > > > -Steve > > > > > > > > > > > I see the server is listening on the port 6999 as below but its > not > > > > > > accepting client request. > > > > > > root@logs:/etc# lsof -i :6999 > > > > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > > > > > audisp-re 9091 root 3u IPv4 33671 0t0 TCP > > > > > > 192.168.103.7:6999 > > > > > > > > -> > > > > > > > > > > > 192.168.103.7:6999 (ESTABLISHED) > > > > > > > > > > > > > > > > > > > > > > > > Best Regards, > > > > > > Rituraj B > > > [-- Attachment #1.2: Type: text/html, Size: 18522 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Audisp-remote - connection refused. 2017-10-03 18:40 ` Rituraj Buddhisagar @ 2017-10-03 19:08 ` Rituraj Buddhisagar 2017-10-03 20:00 ` Rituraj Buddhisagar 0 siblings, 1 reply; 16+ messages in thread From: Rituraj Buddhisagar @ 2017-10-03 19:08 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 11992 bytes --] Sorry if this seems like a spamming, but after I sent the earlier mail - I did install from source successfully with only --prefix=/usr/local I am now facing issue like the below: root@guslogs:/etc/init.d# /usr/local/sbin/auditd /usr/local/sbin/auditd: symbol lookup error: /usr/local/sbin/auditd: undefined symbol: auparse_destroy_ext If someone can point me to a clean and easy install with dependencies from source it would help. Steve, please see my previous mail regarding Ubuntu. Thanks a lot for help! Best Regards, Rituraj B On Wed, Oct 4, 2017 at 12:10 AM, Rituraj Buddhisagar <rituraj@vayana.com> wrote: > Hi Steve / Audit List ; > > I have this issue because Ubuntu has disabled support for listener in > their distribution !! > > On a blog I found that Debian has not disabled it but the Ubuntu > distribution has. > > I found this when I ran auditd in foreground with -f option. > > Listener support is not enabled, ignoring value at line 25 > tcp_listen_queue_parser called with: 5 > Listener support is not enabled, ignoring value at line 26 > tcp_max_per_addr_parser called with: 1 > Listener support is not enabled, ignoring value at line 27 > tcp_listen_queue_parser called with: 1024-65535 > Listener support is not enabled, ignoring value at line 28 > tcp_client_max_idle_parser called with: 0 > > > Steve, I then went to source site ( https://people.redhat.com/ > sgrubb/audit/ ) and downloaded a zip from there. > > I am doing a install using below config command : it fails with > python-packages dependency. > ./configure --prefix=/usr/local --sbindir=/usr/local/sbin > --with-python=yes --with-libwrap --enable-gssapi-krb5=yes > --with-libcap-ng=yes > ............ > ............. > ............. > > checking for python platform... linux2 > checking for python script directory... ${prefix}/lib/python2.7/dist- > packages > checking for python extension module directory... > ${exec_prefix}/lib/python2.7/dist-packages > configure: error: Python explicitly requested and python headers were not > found > root@guslogs:/usr/src/audit-2.7.8# > > > Please can you tell me which dependent packages I need to download and > configure apart from python? (with a source link would help). > > > I see on the site that you have included - "Improved Remote Logging" in > the Roadmap :) Appreciate it and anticipating it ! > > In the meanwhile I am also thinking of requesting Ubuntu for adding this > support - not sure why they did this, what is their logic behind this. I > hereby request if you can do something from your end to discuss with Ubuntu > maintenars to enable this - as there is a HUGE Linux support base out there > using that distro. > > Thanks! > > > > > > > Best Regards, > Rituraj B > > > On Tue, Oct 3, 2017 at 8:38 PM, Steve Grubb <sgrubb@redhat.com> wrote: > >> On Tuesday, October 3, 2017 8:52:48 AM EDT Rituraj Buddhisagar wrote: >> > Hi Steve, >> > >> > I did check IPtables and I am not having any rules in there. I have >> allowed >> > the connections in /etc/hosts.allow. But then I do not see auditd >> listening >> > on port 60. >> > It just shows "ESSTABLISHED" connection on the aggregating server - >> which >> > is itself! >> >> You should not enable audisp-remote on the aggregating server. Auditd >> handles >> incoming connections itself. >> >> -Steve >> >> > root@guslogs:/etc/audit# lsof -i :60 >> > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >> > audisp-re 2146 root 3u IPv4 20368 0t0 TCP 192.168.103.7:60-> >> > 192.168.103.7:60 (ESTABLISHED) >> > root@guslogs:/etc/audit# >> > root@guslogs:/etc/audit# netstat -pan | grep 60 >> > tcp 0 0 0.0.0.0:22 0.0.0.0:* >> LISTEN >> > 1260/sshd >> > tcp 10491 1360 192.168.103.7:60 192.168.103.7:60 >> > ESTABLISHED 2146/audisp-remote >> > tcp6 0 0 :::22 :::* >> LISTEN >> > 1260/sshd >> > unix 2 [ ACC ] STREAM LISTENING 16055 1925/0 >> > /tmp/ssh-h0brbTMA4a/agent.1925 >> > unix 3 [ ] STREAM CONNECTED 13777 1260/sshd >> > >> > unix 2 [ ] DGRAM 17760 1897/systemd >> > >> > unix 3 [ ] STREAM CONNECTED 16036 1897/systemd >> > >> > unix 2 [ ] DGRAM 20360 2136/auditd >> > >> > unix 3 [ ] STREAM CONNECTED 13260 1/init >> > /run/systemd/journal/stdout >> > root@guslogs:/etc/audit# >> > root@guslogs:/etc/audit# netstat -tanp | grep auditd >> > root@guslogs:/etc/audit# >> > root@guslogs:/etc/audit# iptables -L >> > Chain INPUT (policy ACCEPT) >> > target prot opt source destination >> > >> > Chain FORWARD (policy ACCEPT) >> > target prot opt source destination >> > >> > Chain OUTPUT (policy ACCEPT) >> > target prot opt source destination >> > root@guslogs:/etc/audit# >> > root@guslogs:/etc/audit# cat /etc/hosts.allow >> > # /etc/hosts.allow: list of hosts that are allowed to access the system. >> > # See the manual pages hosts_access(5) and >> > hosts_options(5). >> > # >> > # Example: ALL: LOCAL @some_netgroup >> > # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu >> > # >> > # If you're going to protect the portmapper use the name "rpcbind" for >> the >> > # daemon name. See rpcbind(8) and rpc.mountd(8) for further information. >> > # >> > >> > ALL: ALL >> > root@guslogs:/etc/audit# >> > >> > >> > Best Regards, >> > Rituraj B >> > >> > On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb <sgrubb@redhat.com> wrote: >> > > On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote: >> > > > P >> > > > lease see inline- >> > > > >> > > > regards >> > > > >> > > > >> > > > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com> >> wrote: >> > > > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar >> wrote: >> > > > > > Hi >> > > > > > >> > > > > > I tried my best to configure the audisp-remote. >> > > > > > I am getting below error on the client machine in >> /var/log/syslog. >> > > > > > >> > > > > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to >> > > >> > > 192.168.103.7: >> > > > > > Connection refused >> > > > > >> > > > > On the server, what do you get for: >> > > > > >> > > > > ausearch --start recent -m DAEMON_ACCEPT -i >> > > > > >> > > > > The server side records some information about why it did not >> allow a >> > > > > connection. >> > > > >> > > > I dont see any info in here. >> > > > >> > > > # ausearch --start recent -m DAEMON_ACCEPT -i >> > > > <no matches> >> > > >> > > Then its not connecting at all. Maybe your firewall is blocking it. >> Maybe >> > > selinux is blocking it? Once auditd sees its socket is readable, it >> calls >> > > accept(2) and there is no path through the code that doesn't log an >> event >> > > with >> > > a reason. Every possible failure logs a distinct reason why the >> connection >> > > failed. >> > > >> > > > I tried without --start & -i options as well. >> > > >> > > --start today if you didn't connect within 10 minutes of running the >> > > command. >> > > >> > > > But when I do a tcpdump on central server, I do see requests coming >> in. >> > > >> > > (I >> > > >> > > > changed port to 60). >> > > > # tcpdump -i eth1 '( port 60 )' >> > > > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >> > > >> > > 4076269451, >> > > >> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale >> 7], >> > > > length 0 >> > > > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, >> ack >> > > > 4076269452, win 0, length 0 >> > > > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >> > > >> > > 4076287474, >> > > >> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale >> 7], >> > > > length 0 >> > > > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, >> ack >> > > > 18024, win 0, length 0 >> > > > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >> > > >> > > 4076300652, >> > > >> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale >> 7], >> > > > length 0 >> > > > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, >> ack >> > > > 31202, win 0, length 0 >> > > > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >> > > >> > > 4076306151, >> > > >> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale >> 7], >> > > > length 0 >> > > > >> > > > I think the service is only listening locally and not for remote >> > > > connections? >> > > >> > > It opens a socket on all addresses. >> > > # netstat -tanp | grep auditd >> > > tcp 0 0 0.0.0.0:60 0.0.0.0:* >> LISTEN >> > > 893/auditd >> > > >> > > > root@logs:/etc/audit# lsof -i :60 >> > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >> > > > audisp-re 1713 root 3u IPv4 17433 0t0 TCP >> 192.168.103.7:60-> >> > > > 192.168.103.7:60 (ESTABLISHED) >> > > > >> > > > >> > > > How do I see that I am using libwrap? >> > > >> > > It should have a config line in auditd.conf. If you do not, it >> defaults to >> > > yes. That means it looks in /etc/hosts.allow and hosts.deny to decide. >> > > Odds >> > > are you put nothing there and the connection proceeds. If I were to >> guess, >> > > I'd >> > > say iptables is blocking your connection. >> > > >> > > > I have enable_krb5=no in the >> > > > auditd.conf on the aggregative server. >> > > >> > > Good. Cause doing a krb5 connection without setting that up will >> cause it >> > > to >> > > fail also. I'd bet on iptables being the problem. >> > > >> > > -Steve >> > > >> > > > > > 192.168.103.7 is the IP address of the central log server. >> > > > > > >> > > > > > Notes: My settings are below: >> > > > > > >> > > > > > on server as well on client: >> > > > > > /etc/audisp/audisp-remote >> > > > > > >> > > > > > remote_server = 192.168.103.7 >> > > > > > port = 6999 >> > > > > > local_port = 6999 >> > > > > > transport = tcp >> > > > > > queue_file = /var/spool/audit/remote.log >> > > > > > mode = immediate >> > > > > > queue_depth = 2048 >> > > > > > format = ascii >> > > > > > network_retry_time = 100 >> > > > > >> > > > > This is probably not your problem but managed is the normal >> setting >> > > > > for >> > > > > format. And do you have enable_krb5 set to no? >> > > > > >> > > > > > I have enabled name_format=HOSTNAME only in one place (in >> > > > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf >> > > > > > >> > > > > > entries in auditd.conf: >> > > > > > >> > > > > > rtcp_listen_port = 6999 >> > > > > > tcp_listen_queue = 5 >> > > > > > tcp_max_per_addr = 10 >> > > > > > tcp_client_ports = 0-65535 >> > > > > > tcp_client_max_idle = 0 >> > > > > >> > > > > What do you have for use_libwrap and enable_krb5? >> > > > > >> > > > > The ausearcn info from the aggregating server should tell the >> reason >> > > >> > > why >> > > >> > > > > the >> > > > > connection is rejected. >> > > > > >> > > > > -Steve >> > > > > >> > > > > > I see the server is listening on the port 6999 as below but its >> not >> > > > > > accepting client request. >> > > > > > root@logs:/etc# lsof -i :6999 >> > > > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >> > > > > > audisp-re 9091 root 3u IPv4 33671 0t0 TCP >> > > >> > > 192.168.103.7:6999 >> > > >> > > > > -> >> > > > > >> > > > > > 192.168.103.7:6999 (ESTABLISHED) >> > > > > > >> > > > > > >> > > > > > >> > > > > > Best Regards, >> > > > > > Rituraj B >> >> >> > [-- Attachment #1.2: Type: text/html, Size: 21067 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Audisp-remote - connection refused. 2017-10-03 19:08 ` Rituraj Buddhisagar @ 2017-10-03 20:00 ` Rituraj Buddhisagar 2017-10-03 20:22 ` Steve Grubb 0 siblings, 1 reply; 16+ messages in thread From: Rituraj Buddhisagar @ 2017-10-03 20:00 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 13038 bytes --] Steve, Here is the relevant discussion on disabling the tcp listener on Ubuntu. https://www.redhat.com/archives/linux-audit/2012-September/msg00027.html I do not know what exactly caused change - but now I think it should be enabled in distributions. Please let me know. Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from source now. Still audispd is not started now - what is the way / sequence to start auditd and audispd - if you can point me to some reference or a startup script will help. Thanks! On Wed, Oct 4, 2017 at 12:38 AM, Rituraj Buddhisagar <rituraj@vayana.com> wrote: > Sorry if this seems like a spamming, but after I sent the earlier mail - I > did install from source successfully with only --prefix=/usr/local > > I am now facing issue like the below: > > root@guslogs:/etc/init.d# /usr/local/sbin/auditd > /usr/local/sbin/auditd: symbol lookup error: /usr/local/sbin/auditd: > undefined symbol: auparse_destroy_ext > > If someone can point me to a clean and easy install with dependencies from > source it would help. > > Steve, please see my previous mail regarding Ubuntu. Thanks a lot for help! > > > > Best Regards, > Rituraj B > > > On Wed, Oct 4, 2017 at 12:10 AM, Rituraj Buddhisagar <rituraj@vayana.com> > wrote: > >> Hi Steve / Audit List ; >> >> I have this issue because Ubuntu has disabled support for listener in >> their distribution !! >> >> On a blog I found that Debian has not disabled it but the Ubuntu >> distribution has. >> >> I found this when I ran auditd in foreground with -f option. >> >> Listener support is not enabled, ignoring value at line 25 >> tcp_listen_queue_parser called with: 5 >> Listener support is not enabled, ignoring value at line 26 >> tcp_max_per_addr_parser called with: 1 >> Listener support is not enabled, ignoring value at line 27 >> tcp_listen_queue_parser called with: 1024-65535 >> Listener support is not enabled, ignoring value at line 28 >> tcp_client_max_idle_parser called with: 0 >> >> >> Steve, I then went to source site ( https://people.redhat.com/sgru >> bb/audit/ ) and downloaded a zip from there. >> >> I am doing a install using below config command : it fails with >> python-packages dependency. >> ./configure --prefix=/usr/local --sbindir=/usr/local/sbin >> --with-python=yes --with-libwrap --enable-gssapi-krb5=yes >> --with-libcap-ng=yes >> ............ >> ............. >> ............. >> >> checking for python platform... linux2 >> checking for python script directory... ${prefix}/lib/python2.7/dist-p >> ackages >> checking for python extension module directory... >> ${exec_prefix}/lib/python2.7/dist-packages >> configure: error: Python explicitly requested and python headers were not >> found >> root@guslogs:/usr/src/audit-2.7.8# >> >> >> Please can you tell me which dependent packages I need to download and >> configure apart from python? (with a source link would help). >> >> >> I see on the site that you have included - "Improved Remote Logging" in >> the Roadmap :) Appreciate it and anticipating it ! >> >> In the meanwhile I am also thinking of requesting Ubuntu for adding this >> support - not sure why they did this, what is their logic behind this. I >> hereby request if you can do something from your end to discuss with Ubuntu >> maintenars to enable this - as there is a HUGE Linux support base out there >> using that distro. >> >> Thanks! >> >> >> >> >> >> >> Best Regards, >> Rituraj B >> >> >> On Tue, Oct 3, 2017 at 8:38 PM, Steve Grubb <sgrubb@redhat.com> wrote: >> >>> On Tuesday, October 3, 2017 8:52:48 AM EDT Rituraj Buddhisagar wrote: >>> > Hi Steve, >>> > >>> > I did check IPtables and I am not having any rules in there. I have >>> allowed >>> > the connections in /etc/hosts.allow. But then I do not see auditd >>> listening >>> > on port 60. >>> > It just shows "ESSTABLISHED" connection on the aggregating server - >>> which >>> > is itself! >>> >>> You should not enable audisp-remote on the aggregating server. Auditd >>> handles >>> incoming connections itself. >>> >>> -Steve >>> >>> > root@guslogs:/etc/audit# lsof -i :60 >>> > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>> > audisp-re 2146 root 3u IPv4 20368 0t0 TCP 192.168.103.7:60 >>> -> >>> > 192.168.103.7:60 (ESTABLISHED) >>> > root@guslogs:/etc/audit# >>> > root@guslogs:/etc/audit# netstat -pan | grep 60 >>> > tcp 0 0 0.0.0.0:22 0.0.0.0:* >>> LISTEN >>> > 1260/sshd >>> > tcp 10491 1360 192.168.103.7:60 192.168.103.7:60 >>> > ESTABLISHED 2146/audisp-remote >>> > tcp6 0 0 :::22 :::* >>> LISTEN >>> > 1260/sshd >>> > unix 2 [ ACC ] STREAM LISTENING 16055 1925/0 >>> > /tmp/ssh-h0brbTMA4a/agent.1925 >>> > unix 3 [ ] STREAM CONNECTED 13777 1260/sshd >>> > >>> > unix 2 [ ] DGRAM 17760 1897/systemd >>> > >>> > unix 3 [ ] STREAM CONNECTED 16036 1897/systemd >>> > >>> > unix 2 [ ] DGRAM 20360 2136/auditd >>> > >>> > unix 3 [ ] STREAM CONNECTED 13260 1/init >>> > /run/systemd/journal/stdout >>> > root@guslogs:/etc/audit# >>> > root@guslogs:/etc/audit# netstat -tanp | grep auditd >>> > root@guslogs:/etc/audit# >>> > root@guslogs:/etc/audit# iptables -L >>> > Chain INPUT (policy ACCEPT) >>> > target prot opt source destination >>> > >>> > Chain FORWARD (policy ACCEPT) >>> > target prot opt source destination >>> > >>> > Chain OUTPUT (policy ACCEPT) >>> > target prot opt source destination >>> > root@guslogs:/etc/audit# >>> > root@guslogs:/etc/audit# cat /etc/hosts.allow >>> > # /etc/hosts.allow: list of hosts that are allowed to access the >>> system. >>> > # See the manual pages hosts_access(5) and >>> > hosts_options(5). >>> > # >>> > # Example: ALL: LOCAL @some_netgroup >>> > # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu >>> > # >>> > # If you're going to protect the portmapper use the name "rpcbind" for >>> the >>> > # daemon name. See rpcbind(8) and rpc.mountd(8) for further >>> information. >>> > # >>> > >>> > ALL: ALL >>> > root@guslogs:/etc/audit# >>> > >>> > >>> > Best Regards, >>> > Rituraj B >>> > >>> > On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb <sgrubb@redhat.com> wrote: >>> > > On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote: >>> > > > P >>> > > > lease see inline- >>> > > > >>> > > > regards >>> > > > >>> > > > >>> > > > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com> >>> wrote: >>> > > > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar >>> wrote: >>> > > > > > Hi >>> > > > > > >>> > > > > > I tried my best to configure the audisp-remote. >>> > > > > > I am getting below error on the client machine in >>> /var/log/syslog. >>> > > > > > >>> > > > > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to >>> > > >>> > > 192.168.103.7: >>> > > > > > Connection refused >>> > > > > >>> > > > > On the server, what do you get for: >>> > > > > >>> > > > > ausearch --start recent -m DAEMON_ACCEPT -i >>> > > > > >>> > > > > The server side records some information about why it did not >>> allow a >>> > > > > connection. >>> > > > >>> > > > I dont see any info in here. >>> > > > >>> > > > # ausearch --start recent -m DAEMON_ACCEPT -i >>> > > > <no matches> >>> > > >>> > > Then its not connecting at all. Maybe your firewall is blocking it. >>> Maybe >>> > > selinux is blocking it? Once auditd sees its socket is readable, it >>> calls >>> > > accept(2) and there is no path through the code that doesn't log an >>> event >>> > > with >>> > > a reason. Every possible failure logs a distinct reason why the >>> connection >>> > > failed. >>> > > >>> > > > I tried without --start & -i options as well. >>> > > >>> > > --start today if you didn't connect within 10 minutes of running the >>> > > command. >>> > > >>> > > > But when I do a tcpdump on central server, I do see requests >>> coming in. >>> > > >>> > > (I >>> > > >>> > > > changed port to 60). >>> > > > # tcpdump -i eth1 '( port 60 )' >>> > > > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >>> > > >>> > > 4076269451, >>> > > >>> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale >>> 7], >>> > > > length 0 >>> > > > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, >>> ack >>> > > > 4076269452, win 0, length 0 >>> > > > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >>> > > >>> > > 4076287474, >>> > > >>> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale >>> 7], >>> > > > length 0 >>> > > > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, >>> ack >>> > > > 18024, win 0, length 0 >>> > > > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >>> > > >>> > > 4076300652, >>> > > >>> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale >>> 7], >>> > > > length 0 >>> > > > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, >>> ack >>> > > > 31202, win 0, length 0 >>> > > > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >>> > > >>> > > 4076306151, >>> > > >>> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale >>> 7], >>> > > > length 0 >>> > > > >>> > > > I think the service is only listening locally and not for remote >>> > > > connections? >>> > > >>> > > It opens a socket on all addresses. >>> > > # netstat -tanp | grep auditd >>> > > tcp 0 0 0.0.0.0:60 0.0.0.0:* >>> LISTEN >>> > > 893/auditd >>> > > >>> > > > root@logs:/etc/audit# lsof -i :60 >>> > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>> > > > audisp-re 1713 root 3u IPv4 17433 0t0 TCP >>> 192.168.103.7:60-> >>> > > > 192.168.103.7:60 (ESTABLISHED) >>> > > > >>> > > > >>> > > > How do I see that I am using libwrap? >>> > > >>> > > It should have a config line in auditd.conf. If you do not, it >>> defaults to >>> > > yes. That means it looks in /etc/hosts.allow and hosts.deny to >>> decide. >>> > > Odds >>> > > are you put nothing there and the connection proceeds. If I were to >>> guess, >>> > > I'd >>> > > say iptables is blocking your connection. >>> > > >>> > > > I have enable_krb5=no in the >>> > > > auditd.conf on the aggregative server. >>> > > >>> > > Good. Cause doing a krb5 connection without setting that up will >>> cause it >>> > > to >>> > > fail also. I'd bet on iptables being the problem. >>> > > >>> > > -Steve >>> > > >>> > > > > > 192.168.103.7 is the IP address of the central log server. >>> > > > > > >>> > > > > > Notes: My settings are below: >>> > > > > > >>> > > > > > on server as well on client: >>> > > > > > /etc/audisp/audisp-remote >>> > > > > > >>> > > > > > remote_server = 192.168.103.7 >>> > > > > > port = 6999 >>> > > > > > local_port = 6999 >>> > > > > > transport = tcp >>> > > > > > queue_file = /var/spool/audit/remote.log >>> > > > > > mode = immediate >>> > > > > > queue_depth = 2048 >>> > > > > > format = ascii >>> > > > > > network_retry_time = 100 >>> > > > > >>> > > > > This is probably not your problem but managed is the normal >>> setting >>> > > > > for >>> > > > > format. And do you have enable_krb5 set to no? >>> > > > > >>> > > > > > I have enabled name_format=HOSTNAME only in one place (in >>> > > > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf >>> > > > > > >>> > > > > > entries in auditd.conf: >>> > > > > > >>> > > > > > rtcp_listen_port = 6999 >>> > > > > > tcp_listen_queue = 5 >>> > > > > > tcp_max_per_addr = 10 >>> > > > > > tcp_client_ports = 0-65535 >>> > > > > > tcp_client_max_idle = 0 >>> > > > > >>> > > > > What do you have for use_libwrap and enable_krb5? >>> > > > > >>> > > > > The ausearcn info from the aggregating server should tell the >>> reason >>> > > >>> > > why >>> > > >>> > > > > the >>> > > > > connection is rejected. >>> > > > > >>> > > > > -Steve >>> > > > > >>> > > > > > I see the server is listening on the port 6999 as below but >>> its not >>> > > > > > accepting client request. >>> > > > > > root@logs:/etc# lsof -i :6999 >>> > > > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>> > > > > > audisp-re 9091 root 3u IPv4 33671 0t0 TCP >>> > > >>> > > 192.168.103.7:6999 >>> > > >>> > > > > -> >>> > > > > >>> > > > > > 192.168.103.7:6999 (ESTABLISHED) >>> > > > > > >>> > > > > > >>> > > > > > >>> > > > > > Best Regards, >>> > > > > > Rituraj B >>> >>> >>> >> > [-- Attachment #1.2: Type: text/html, Size: 23837 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Audisp-remote - connection refused. 2017-10-03 20:00 ` Rituraj Buddhisagar @ 2017-10-03 20:22 ` Steve Grubb 2017-10-04 14:01 ` Rituraj Buddhisagar 0 siblings, 1 reply; 16+ messages in thread From: Steve Grubb @ 2017-10-03 20:22 UTC (permalink / raw) To: Rituraj Buddhisagar; +Cc: linux-audit On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote: > Steve, > > Here is the relevant discussion on disabling the tcp listener on Ubuntu. > https://www.redhat.com/archives/linux-audit/2012-September/msg00027.html > > I do not know what exactly caused change - but now I think it should be > enabled in distributions. > > Please let me know. > > Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from source > now. Still audispd is not started now - what is the way / sequence to start > auditd and audispd - if you can point me to some reference or a startup > script will help. Since you installed in a non-standard location, you probably need to adjust paths in the config files. What I would recommend is not to build and install by hand, but to use their package manager to build a new package with listening enabled. The ./configure script takes a --disable-listener parameter. So, its probably as simple as deleting that in the source package and rebuilding. That said, I have no idea how to build a package on Debian or Ubuntu. -Steve ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Audisp-remote - connection refused. 2017-10-03 20:22 ` Steve Grubb @ 2017-10-04 14:01 ` Rituraj Buddhisagar 2017-10-04 15:19 ` Steve Grubb 0 siblings, 1 reply; 16+ messages in thread From: Rituraj Buddhisagar @ 2017-10-04 14:01 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 2165 bytes --] Hi Steve / List Now, I have built auditd from source as per the mail thread and then also created a startup script. The auditd is starting successfully. The client is able to connect to the aggregating server. *node=guslogs type=DAEMON_ACCEPT msg=audit(1507125123.240:7272): addr=192.168.103.2 port=60 res=success* I have made the necessary change in the server in /etc/audit/auditd.conf *log_format = NOLOG* I do not see any logs being populated - I checked log file on client, the server - also the /var/spool/audit/remote.log on the client. On the server side /var/spool/audit/remote.log is empty (I am not sure if this is something I should be checking at all) I am clueless as to what is happening. Is there some way to debug this? Where are these logs getting lost? When change the log_format back to RAW I do see the logs getting created on the client. I did my best reading on net and debugging this - but no success. Please help. On Wed, Oct 4, 2017 at 1:52 AM, Steve Grubb <sgrubb@redhat.com> wrote: > On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote: > > Steve, > > > > Here is the relevant discussion on disabling the tcp listener on Ubuntu. > > https://www.redhat.com/archives/linux-audit/2012-September/msg00027.html > > > > I do not know what exactly caused change - but now I think it should be > > enabled in distributions. > > > > Please let me know. > > > > Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from > source > > now. Still audispd is not started now - what is the way / sequence to > start > > auditd and audispd - if you can point me to some reference or a startup > > script will help. > > Since you installed in a non-standard location, you probably need to adjust > paths in the config files. > > What I would recommend is not to build and install by hand, but to use > their > package manager to build a new package with listening enabled. The > ./configure > script takes a --disable-listener parameter. So, its probably as simple as > deleting that in the source package and rebuilding. > > That said, I have no idea how to build a package on Debian or Ubuntu. > > -Steve > [-- Attachment #1.2: Type: text/html, Size: 5382 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Audisp-remote - connection refused. 2017-10-04 14:01 ` Rituraj Buddhisagar @ 2017-10-04 15:19 ` Steve Grubb 2017-10-04 16:02 ` Rituraj Buddhisagar 0 siblings, 1 reply; 16+ messages in thread From: Steve Grubb @ 2017-10-04 15:19 UTC (permalink / raw) To: Rituraj Buddhisagar; +Cc: linux-audit On Wednesday, October 4, 2017 10:01:49 AM EDT Rituraj Buddhisagar wrote: > Hi Steve / List > > Now, I have built auditd from source as per the mail thread and then also > created a startup script. > > The auditd is starting successfully. > > The client is able to connect to the aggregating server. > > > *node=guslogs type=DAEMON_ACCEPT msg=audit(1507125123.240:7272): > addr=192.168.103.2 port=60 res=success* > > > I have made the necessary change in the server in /etc/audit/auditd.conf > > *log_format = NOLOG* This is a deprecated option tells it to not write anything to disk. > I do not see any logs being populated - I checked log file on client, the > server - also the /var/spool/audit/remote.log on the client. > On the server side /var/spool/audit/remote.log is empty (I am not sure if > this is something I should be checking at all) > > I am clueless as to what is happening. Is there some way to debug this? Did you modify auditd.conf to have the format be nolog? If so, its an explained condition. Nolog means no logging to disk. > Where are these logs getting lost? > When change the log_format back to RAW I do see the logs getting created on > the client. For remote logging, you should set the format to enriched. This resolves things locally so that the aggregating server can make sense of it later. If you do not want events written to disk on the remote system, set write_logs = no. You should also set name_format = hostname (or something else) in auditd.conf of the remote systems. This is so you can tell who is creating the events in the aggregating server. On the aggregating server, also set the format to enriched. But there you have to have write_logs = yes. Also set name_format = hostname in auditd.conf of the server. I would not recommend setting the name in audispd.conf for any system. -Steve > I did my best reading on net and debugging this - but no success. Please > help. > > On Wed, Oct 4, 2017 at 1:52 AM, Steve Grubb <sgrubb@redhat.com> wrote: > > On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote: > > > Steve, > > > > > > Here is the relevant discussion on disabling the tcp listener on Ubuntu. > > > https://www.redhat.com/archives/linux-audit/2012-September/msg00027.html > > > > > > I do not know what exactly caused change - but now I think it should be > > > enabled in distributions. > > > > > > Please let me know. > > > > > > Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from > > > > source > > > > > now. Still audispd is not started now - what is the way / sequence to > > > > start > > > > > auditd and audispd - if you can point me to some reference or a startup > > > script will help. > > > > Since you installed in a non-standard location, you probably need to > > adjust > > paths in the config files. > > > > What I would recommend is not to build and install by hand, but to use > > their > > package manager to build a new package with listening enabled. The > > ./configure > > script takes a --disable-listener parameter. So, its probably as simple as > > deleting that in the source package and rebuilding. > > > > That said, I have no idea how to build a package on Debian or Ubuntu. > > > > -Steve ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Audisp-remote - connection refused. 2017-10-04 15:19 ` Steve Grubb @ 2017-10-04 16:02 ` Rituraj Buddhisagar 2017-10-04 16:28 ` Steve Grubb 0 siblings, 1 reply; 16+ messages in thread From: Rituraj Buddhisagar @ 2017-10-04 16:02 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 3987 bytes --] HI Steve, I did the necessary, Change in auditd.conf - log_format to ENRICHED. write_logs set to "no" on client and "yes" on aggregating server. name_format was already set in auditd.conf and not in audispd.conf on both the servers. I still do not see any logs coming in /var/log/audit/audit.log on aggregating server. Any debugging tools to see the queue of audisp-remote? The spool file /var/spool/audit/remote.log is not having entries populated (btw I had to create it manually). Thanks! On Wed, Oct 4, 2017 at 8:49 PM, Steve Grubb <sgrubb@redhat.com> wrote: > On Wednesday, October 4, 2017 10:01:49 AM EDT Rituraj Buddhisagar wrote: > > Hi Steve / List > > > > Now, I have built auditd from source as per the mail thread and then also > > created a startup script. > > > > The auditd is starting successfully. > > > > The client is able to connect to the aggregating server. > > > > > > *node=guslogs type=DAEMON_ACCEPT msg=audit(1507125123.240:7272): > > addr=192.168.103.2 port=60 res=success* > > > > > > I have made the necessary change in the server in /etc/audit/auditd.conf > > > > *log_format = NOLOG* > > This is a deprecated option tells it to not write anything to disk. > > > I do not see any logs being populated - I checked log file on client, the > > server - also the /var/spool/audit/remote.log on the client. > > On the server side /var/spool/audit/remote.log is empty (I am not sure if > > this is something I should be checking at all) > > > > I am clueless as to what is happening. Is there some way to debug this? > > Did you modify auditd.conf to have the format be nolog? If so, its an > explained condition. Nolog means no logging to disk. > > > Where are these logs getting lost? > > When change the log_format back to RAW I do see the logs getting created > on > > the client. > > For remote logging, you should set the format to enriched. This resolves > things locally so that the aggregating server can make sense of it later. > If > you do not want events written to disk on the remote system, set > write_logs = > no. You should also set name_format = hostname (or something else) in > auditd.conf of the remote systems. This is so you can tell who is creating > the > events in the aggregating server. > > On the aggregating server, also set the format to enriched. But there you > have > to have write_logs = yes. Also set name_format = hostname in auditd.conf of > the server. > > I would not recommend setting the name in audispd.conf for any system. > > -Steve > > > I did my best reading on net and debugging this - but no success. Please > > help. > > > > On Wed, Oct 4, 2017 at 1:52 AM, Steve Grubb <sgrubb@redhat.com> wrote: > > > On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote: > > > > Steve, > > > > > > > > Here is the relevant discussion on disabling the tcp listener on > Ubuntu. > > > > https://www.redhat.com/archives/linux-audit/2012- > September/msg00027.html > > > > > > > > I do not know what exactly caused change - but now I think it should > be > > > > enabled in distributions. > > > > > > > > Please let me know. > > > > > > > > Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from > > > > > > source > > > > > > > now. Still audispd is not started now - what is the way / sequence to > > > > > > start > > > > > > > auditd and audispd - if you can point me to some reference or a > startup > > > > script will help. > > > > > > Since you installed in a non-standard location, you probably need to > > > adjust > > > paths in the config files. > > > > > > What I would recommend is not to build and install by hand, but to use > > > their > > > package manager to build a new package with listening enabled. The > > > ./configure > > > script takes a --disable-listener parameter. So, its probably as > simple as > > > deleting that in the source package and rebuilding. > > > > > > That said, I have no idea how to build a package on Debian or Ubuntu. > > > > > > -Steve > > > [-- Attachment #1.2: Type: text/html, Size: 6990 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Audisp-remote - connection refused. 2017-10-04 16:02 ` Rituraj Buddhisagar @ 2017-10-04 16:28 ` Steve Grubb 0 siblings, 0 replies; 16+ messages in thread From: Steve Grubb @ 2017-10-04 16:28 UTC (permalink / raw) To: Rituraj Buddhisagar; +Cc: linux-audit On Wednesday, October 4, 2017 12:02:06 PM EDT Rituraj Buddhisagar wrote: > HI Steve, > > I did the necessary, > Change in auditd.conf - log_format to ENRICHED. > write_logs set to "no" on client and "yes" on aggregating server. > name_format was already set in auditd.conf and not in audispd.conf on both > the servers. > > I still do not see any logs coming in /var/log/audit/audit.log on > aggregating server. You can run auditd -f on both systems to see on screen what is happening. Then on the remote, auditctl -m test. You should see it on the remote screen followed by the server screen. If you do, then something is wrong with your config file paths. If you don't see events, I think you have some troubleshooting of your own to do. I can't see your system so you'll have to figure it out. I also updated the INSTALL file in github to better reflect how to build and install it from scratch. > Any debugging tools to see the queue of audisp-remote? The spool file > /var/spool/audit/remote.log is not having entries populated (btw I had to > create it manually). It only uses a spool file if the mode is forward. Immediate mode does not use it. > On Wed, Oct 4, 2017 at 8:49 PM, Steve Grubb <sgrubb@redhat.com> wrote: > > On Wednesday, October 4, 2017 10:01:49 AM EDT Rituraj Buddhisagar wrote: > > > Hi Steve / List > > > > > > Now, I have built auditd from source as per the mail thread and then > > > also > > > created a startup script. > > > > > > The auditd is starting successfully. > > > > > > The client is able to connect to the aggregating server. > > > > > > > > > *node=guslogs type=DAEMON_ACCEPT msg=audit(1507125123.240:7272): > > > addr=192.168.103.2 port=60 res=success* > > > > > > > > > I have made the necessary change in the server in /etc/audit/auditd.conf > > > > > > *log_format = NOLOG* > > > > This is a deprecated option tells it to not write anything to disk. > > > > > I do not see any logs being populated - I checked log file on client, > > > the > > > server - also the /var/spool/audit/remote.log on the client. > > > On the server side /var/spool/audit/remote.log is empty (I am not sure > > > if > > > this is something I should be checking at all) > > > > > > I am clueless as to what is happening. Is there some way to debug this? > > > > Did you modify auditd.conf to have the format be nolog? If so, its an > > explained condition. Nolog means no logging to disk. > > > > > Where are these logs getting lost? > > > When change the log_format back to RAW I do see the logs getting created > > > > on > > > > > the client. > > > > For remote logging, you should set the format to enriched. This resolves > > things locally so that the aggregating server can make sense of it later. > > If > > you do not want events written to disk on the remote system, set > > write_logs = > > no. You should also set name_format = hostname (or something else) in > > auditd.conf of the remote systems. This is so you can tell who is creating > > the > > events in the aggregating server. > > > > On the aggregating server, also set the format to enriched. But there you > > have > > to have write_logs = yes. Also set name_format = hostname in auditd.conf > > of > > the server. > > > > I would not recommend setting the name in audispd.conf for any system. > > > > -Steve > > > > > I did my best reading on net and debugging this - but no success. Please > > > help. > > > > > > On Wed, Oct 4, 2017 at 1:52 AM, Steve Grubb <sgrubb@redhat.com> wrote: > > > > On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote: > > > > > Steve, > > > > > > > > > > Here is the relevant discussion on disabling the tcp listener on > > > > Ubuntu. > > > > > > > https://www.redhat.com/archives/linux-audit/2012-> > > > September/msg00027.html > > > > > > > I do not know what exactly caused change - but now I think it should > > > > be > > > > > > > enabled in distributions. > > > > > > > > > > Please let me know. > > > > > > > > > > Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from > > > > > > > > source > > > > > > > > > now. Still audispd is not started now - what is the way / sequence > > > > > to > > > > > > > > start > > > > > > > > > auditd and audispd - if you can point me to some reference or a > > > > startup > > > > > > > script will help. > > > > > > > > Since you installed in a non-standard location, you probably need to > > > > adjust > > > > paths in the config files. > > > > > > > > What I would recommend is not to build and install by hand, but to use > > > > their > > > > package manager to build a new package with listening enabled. The > > > > ./configure > > > > script takes a --disable-listener parameter. So, its probably as > > > > simple as > > > > > > deleting that in the source package and rebuilding. > > > > > > > > That said, I have no idea how to build a package on Debian or Ubuntu. > > > > > > > > -Steve ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2017-10-04 16:28 UTC | newest] Thread overview: 16+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-10-02 18:55 Audisp-remote - connection refused Rituraj Buddhisagar 2017-10-02 19:51 ` Rituraj Buddhisagar 2017-10-02 21:58 ` Steve Grubb 2017-10-03 3:31 ` Rituraj Buddhisagar 2017-10-03 12:44 ` Steve Grubb 2017-10-03 12:52 ` Rituraj Buddhisagar 2017-10-03 12:58 ` Rituraj Buddhisagar 2017-10-03 15:08 ` Steve Grubb 2017-10-03 18:40 ` Rituraj Buddhisagar 2017-10-03 19:08 ` Rituraj Buddhisagar 2017-10-03 20:00 ` Rituraj Buddhisagar 2017-10-03 20:22 ` Steve Grubb 2017-10-04 14:01 ` Rituraj Buddhisagar 2017-10-04 15:19 ` Steve Grubb 2017-10-04 16:02 ` Rituraj Buddhisagar 2017-10-04 16:28 ` Steve Grubb
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).