From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dan Gruhn <Dan.Gruhn@groupw.com>
Subject: Central Audit Server with Prelude and Prewikka - RHEL5
Date: Fri, 13 Feb 2009 15:11:26 -0500
Message-ID: <4995D3EE.3020005@groupw.com>
References: <499455ED.3060208@groupw.com>	<200902121243.03741.sgrubb@redhat.com>
	<499460FF.3050400@groupw.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n1DKBgs7007102
	for <linux-audit@redhat.com>; Fri, 13 Feb 2009 15:11:42 -0500
Received: from smtp.group-w-inc.com (group-w-inc.com [70.164.45.3])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n1DKBRsj031453
	for <linux-audit@redhat.com>; Fri, 13 Feb 2009 15:11:27 -0500
Received: from smtp.group-w-inc.com (localhost.localdomain [127.0.0.1])
	by localhost (Postfix) with ESMTP id B4A0ADA009F
	for <linux-audit@redhat.com>; Fri, 13 Feb 2009 15:11:26 -0500 (EST)
Received: from [10.1.1.218] (dgruhn-f9.group-w-inc.com [10.1.1.218])
	by smtp.group-w-inc.com (Postfix) with ESMTP id 6DA84DA0094
	for <linux-audit@redhat.com>; Fri, 13 Feb 2009 15:11:26 -0500 (EST)
In-Reply-To: <499460FF.3050400@groupw.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Greetings,

I have a 64 bit EL 5.2 system that I have built and installed all of the 
necessary packages for the latest audit (1.7.11-1), prelude and prewikka.

This all seems to be working fine on the central cluster server and I 
have set up a client in a cluster node to report its audit information 
to the server.  This seems to be working in that I see both the master 
and the node reporting their information in the master's 
/var/log/messages and /var/log/audit/audit.log.  I still have an issue 
with SELinux and the port connection, but I'm running in permissive mode 
for now.

I'm using Prelude and Prewikka to view events and I see the master as a 
sensor/source and its events, but I don't see the node.  I thought that 
once the audit/syslog information was making it to the central files the 
rest would also work but that doesn't seem to be the case.

Steve's "Audit + Prelude HOWTO" has been quite helpful, but it describes 
putting the client and server all on one machine (which I have working) 
and I'm just not getting what to change to add another client.  I don't 
have prelude-manager running on the client, but it seems as though I 
don't need that.  Could someone give me a pointer on where to look for 
the problem?

Thanks,

Dan