From mboxrd@z Thu Jan 1 00:00:00 1970 From: Greg Herrmann Subject: Re: Help with auditd.conf Date: Tue, 29 Apr 2008 11:43:46 -0700 (PDT) Message-ID: <473394.54274.qm@web38108.mail.mud.yahoo.com> References: <48176B07.8050100@ll.mit.edu> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0845772449==" Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m3TIi6BH025557 for ; Tue, 29 Apr 2008 14:44:06 -0400 Received: from web38108.mail.mud.yahoo.com (web38108.mail.mud.yahoo.com [209.191.124.135]) by mx3.redhat.com (8.13.8/8.13.8) with SMTP id m3TIhq49024239 for ; Tue, 29 Apr 2008 14:43:52 -0400 In-Reply-To: <48176B07.8050100@ll.mit.edu> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Ed Christiansen Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============0845772449== Content-Type: multipart/alternative; boundary="0-1939901234-1209494626=:54274" Content-Transfer-Encoding: 7bit --0-1939901234-1209494626=:54274 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Which version of Snare are you running? If it's on an RHEL 5 server, I w= ould assume version 1.3. If so, shouldn't you be modifying /etc/snare.co= nf in order to do this? =20 Ed Christiansen wrote: Do you REALLY want to do this= ? your filesystem will just have more space taken up with duplicate information. Scott Ehrlich wrote: > Hello to all: >=20 > I have Snare Agent and audit 1.5.2 running on a CentOS 5.0 box and a RH= EL > 5.0 server. I ideally would like audit logs to be sent to both the > system's local audit.log file and to a log server. I reviewed the > /etc/audit/auditd.conf file and tried to play with things and move thin= gs > around, but an active watch of my log server's /var/log/syslog and loca= l > machine's audit.log does NOT show simultaneous activity, leading me to > think it is either one way or the other, and that simultaneous local an= d > remote logging is not possible. >=20 > Is there a way to get both? >=20 > Thanks. >=20 > Scott >=20 > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit =20 --------------------------------- Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try i= t now. --0-1939901234-1209494626=:54274 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Which version of Snare are you running?  If it's on an RHEL 5 server= , I would assume version 1.3.  If so, shouldn't you be modifying /et= c/snare.conf in order to do this? 

Ed Christiansen <= ;edwardc@ll.mit.edu> wrote:
Do you REALLY want to do this? your filesystem
will just have= more space taken up with duplicate
information.

Scott Ehrlich = wrote:
> Hello to all:
>
> I have Snare Agent and audi= t 1.5.2 running on a CentOS 5.0 box and a RHEL
> 5.0 server. I ide= ally would like audit logs to be sent to both the
> system's local = audit.log file and to a log server. I reviewed the
> /etc/audit/au= ditd.conf file and tried to play with things and move things
> arou= nd, but an active watch of my log server's /var/log/syslog and local
&= gt; machine's audit.log does NOT show simultaneous activity, leading me to
> think it is either one way = or the other, and that simultaneous local and
> remote logging is n= ot possible.
>
> Is there a way to get both?
>
>= ; Thanks.
>
> Scott
>
> --
> Linux-audit = mailing list
> Linux-audit@redhat.com
> https://www.redhat.co= m/mailman/listinfo/linux-audit

--
Linux-audit mailing list
L= inux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-au= dit

Be a better friend, newshound, and=20 know-it-all with Yahoo! Mobile. Try= it now. --0-1939901234-1209494626=:54274-- --===============0845772449== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0845772449==--