From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Norman Mark St. Laurent" <mstlaurent@conceras.com>
Subject: Re: [PATCH] Add auditd listener and remote audit protocol
Date: Tue, 29 Sep 2009 14:51:04 -0400
Message-ID: <4AC25718.1050801@conceras.com>
References: <200808142143.m7ELh0MP028560@greed.delorie.com>	<200808142007.02746.sgrubb@redhat.com>	<1218759744.7022.272.camel@homeserver>	<200808142027.40811.sgrubb@redhat.com>	<1218760295.7022.277.camel@homeserver>
	<1254246768.9900.14.camel@lcb>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com
	[10.5.110.12])
	by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id n8TIpLaA017298
	for <linux-audit@redhat.com>; Tue, 29 Sep 2009 14:51:21 -0400
Received: from smtpauth18.prod.mesa1.secureserver.net
	(smtpauth18.prod.mesa1.secureserver.net [64.202.165.31])
	by mx1.redhat.com (8.13.8/8.13.8) with SMTP id n8TIp8kL002392
	for <linux-audit@redhat.com>; Tue, 29 Sep 2009 14:51:08 -0400
In-Reply-To: <1254246768.9900.14.camel@lcb>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: LC Bruzenak <lenny@magitekltd.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hi LCB,

I hope I answer u correctly...

I would look in your /etc/audisp/audisp-remote.conf file and note the 
port you communicate on, as an alternate you can grab the port with 
"lsof -i -nP" or "netstat -taupe".  Then you can use tcpdump to watch 
the connections.

#tcpdump -i eth0 port 1001     -->  or what ever port you have setup to 
the remote data on and the correct nic.

Sounds like this could help u out.

Norman Mark St. Laurent
Conceras | Chief Technology Officer and ISSE
Phone:  703-965-4892
Email:  mstlaurent@conceras.com
Web:  http://www.conceras.com

Connect. Collaborate. Conceras.



LC Bruzenak wrote:
> On Thu, 2008-08-14 at 19:31 -0500, LC Bruzenak wrote:
>   
>> On Thu, 2008-08-14 at 20:27 -0400, Steve Grubb wrote:
>>     
>>> On Thursday 14 August 2008 20:22:24 LC Bruzenak wrote:
>>>       
>>>> I think you have a good point - this is the first cut and maybe
>>>>         
>> later on
>>     
>>>> institute a "replay daemon" or something which can send events on
>>>> reconnect.
>>>>         
>>> Note that all audispd plugins take their input from stdin. At the
>>>       
>> worst, if 
>>     
>>> you had the time hacks, you could 
>>>
>>> ausearch --start <time> --end <time> --raw | /sbin.audisp-remote
>>>
>>> -Steve
>>>       
>
> Steve,
>
> I have been doing this but I really cannot tell if the audisp-remote
> connection succeeds; it returns "0" either way.
> Would there be an easy way to return a non-zero failure indicator?
>
> Thx,
> LCB.
>
>