From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: Re: Remote logging with autitd
Date: Sun, 02 Nov 2014 15:25:50 -0600
Message-ID: <5456A15E.2060000@magitekltd.com>
References: <DUB131-W56065142D9B25021C68F9EDD9B0@phx.gbl>,
	<22466435.3iWqs6C8DU@x2>
	<DUB131-W69BAA3BCB6D84E8B977699DD980@phx.gbl>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7353093916242452595=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com
	[10.5.110.17])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id sA2LPt6Q025113
	for <linux-audit@redhat.com>; Sun, 2 Nov 2014 16:25:55 -0500
Received: from mail-ob0-f174.google.com (mail-ob0-f174.google.com
	[209.85.214.174])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id sA2LPrdC019492
	(version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL)
	for <linux-audit@redhat.com>; Sun, 2 Nov 2014 16:25:54 -0500
Received: by mail-ob0-f174.google.com with SMTP id uz6so8239666obc.33
	for <linux-audit@redhat.com>; Sun, 02 Nov 2014 13:25:53 -0800 (PST)
Received: from [192.168.31.226] (65-36-126-38.dyn.grandenetworks.net.
	[65.36.126.38])
	by mx.google.com with ESMTPSA id c76sm7051896oih.28.2014.11.02.13.25.51
	for <linux-audit@redhat.com>
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sun, 02 Nov 2014 13:25:51 -0800 (PST)
In-Reply-To: <DUB131-W69BAA3BCB6D84E8B977699DD980@phx.gbl>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

This is a cryptographically signed message in MIME format.

--===============7353093916242452595==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
	micalg=sha1; boundary="------------ms050409050400020609060103"

This is a cryptographically signed message in MIME format.

--------------ms050409050400020609060103
Content-Type: multipart/alternative;
	boundary="------------030106010003000006070401"

This is a multi-part message in MIME format.
--------------030106010003000006070401
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 11/02/2014 03:16 PM, Wouter van Verre wrote:
> Hi Steve,
>
> Many thanks for your response.
> I will be reading the presentation and the examples in the tarball and
> go from there for implementing my processing plugin.
>
> Regarding the logging to disk on the central server:
> I have node names set up for both servers now and am now getting the
> following behaviour:
>    On the client server I can see the events being prefixed with
> node=3DElephant in the log on that server.
>    On the central server I can see that local events are being
> prefixed with node=3DMongoose.
>    However, events that were sent to the central server by the client
> server show up in the central server's log with
>    node=3Dlocalhost.localdomain. So it seems that the node information
> gets lost between the client and central server?
>
> Would you have any idea why the node information is lost?
>
>
> Many thanks,
>
> Wouter

Check /etc/audisp/audispd.conf on your client.
Look at the  line with "name_format=3D" and it probably says "hostname"
(case insensitive).
Test this by checking "% hostname" command on your client.
See the audispd.conf man page for more info.

LCB

--=20
LC (Lenny) Bruzenak
lenny@magitekltd.com


--------------030106010003000006070401
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

<html>
  <head>
    <meta content=3D"text/html; charset=3Dwindows-1252"
      http-equiv=3D"Content-Type">
  </head>
  <body bgcolor=3D"#FFFFFF" text=3D"#000000">
    <div class=3D"moz-cite-prefix">On 11/02/2014 03:16 PM, Wouter van
      Verre wrote:<br>
    </div>
    <blockquote cite=3D"mid:DUB131-W69BAA3BCB6D84E8B977699DD980@phx.gbl"
      type=3D"cite">
      <style><!--
=2Ehmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style>
      <div dir=3D"ltr">Hi Steve,<br>
        <br>
        Many thanks for your response.<br>
        I will be reading the presentation and the examples in the
        tarball and go from there for implementing my processing plugin.<=
br>
        <br>
        Regarding the logging to disk on the central server: <br>
        I have node names set up for both servers now and am now getting
        the following behaviour:<br>
        =A0=A0 On the client server I can see the events being prefixed w=
ith
        node=3DElephant in the log on that server. <br>
        =A0=A0 On the central server I can see that local events are bein=
g
        prefixed with node=3DMongoose.<br>
        =A0=A0 However, events that were sent to the central server by th=
e
        client server show up in the central server's log with <br>
        =A0=A0 node=3Dlocalhost.localdomain. So it seems that the node
        information gets lost between the client and central server?<br>
        <br>
        Would you have any idea why the node information is lost?<br>
        <br>
        <br>
        Many thanks,<br>
        <br>
        Wouter<br>
      </div>
    </blockquote>
    <br>
    Check /etc/audisp/audispd.conf on your client.<br>
    Look at the=A0 line with "name_format=3D" and it probably says
    "hostname" (case insensitive).<br>
    Test this by checking "% hostname" command on your client.<br>
    See the audispd.conf man page for more info.<br>
    <br>
    LCB<br>
    <pre class=3D"moz-signature" cols=3D"72">--=20
LC (Lenny) Bruzenak
<a class=3D"moz-txt-link-abbreviated" href=3D"mailto:lenny@magitekltd.com=
">lenny@magitekltd.com</a></pre>
  </body>
</html>

--------------030106010003000006070401--

--------------ms050409050400020609060103
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIEZDCC
BGAwggNIoAMCAQICEwZQV0xKmXg6VpNOYV4AVY8RbPYwDQYJKoZIhvcNAQEFBQAwgYIxCzAJ
BgNVBAYTAlVTMR4wHAYDVQQLExV3d3cueHJhbXBzZWN1cml0eS5jb20xJDAiBgNVBAoTG1hS
YW1wIFNlY3VyaXR5IFNlcnZpY2VzIEluYzEtMCsGA1UEAxMkWFJhbXAgR2xvYmFsIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MB4XDTE0MDgxNDA5NTMyMFoXDTE1MDgxNDE1NTMyMFowcTEd
MBsGA1UEAwwUbGVubnlAbWFnaXRla2x0ZC5jb20xDjAMBgNVBAoMBXNtaW1lMQ4wDAYDVQQI
DAVzbWltZTELMAkGA1UEBhMCVVMxIzAhBgkqhkiG9w0BCQEWFGxlbm55QG1hZ2l0ZWtsdGQu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyk/YzpnShgUImRJTL/rtYoP4
rP3rR9A45kty5KcQ+xaq7B2M/irmosxQ96hg1LcJrh9LEG9gmAjiQK32QT9hAND47Frag3+6
4txUSuiW4Wh1Q96avqg30hC0oZvylAyaqx1DRGw1jv3UVMyBOMWG7boxWOOPqIvBK6NaQGDD
j74tfb+MyjRGLpUq6IUzVhMiHX1pRXSlprS0jH0rSQQrGZIGnqRT2+LlhbU6jYcBLS7dsS38
gHaKhs5hgSsFIT0hmHvF7EqKLIpeqA4sRCdtHUrjCjRXTo4G0SYcPSHJegR9UADWWsyXaK2l
VMQG/yvczd/EcrJFaeTZTxQGzBInmwIDAQABo4HeMIHbMAsGA1UdDwQEAwIFoDATBgNVHSUE
DDAKBggrBgEFBQcDBDAdBgNVHQ4EFgQUbdNQFOkqZZpvYP3Og5yjTF5MKi4wHwYDVR0jBBgw
FoAUxk+iPQZjhAmczmLkBKyNXLXpthswQwYDVR0gBDwwOjA4BgpghkgBhv1kAgIBMCowKAYI
KwYBBQUHAgEWHGh0dHBzOi8vc3NsLnRydXN0d2F2ZS5jb20vQ0EwMgYDVR0fBCswKTAnoCWg
I4YhaHR0cDovL2NybC50cnVzdHdhdmUuY29tL1hHQ0EuY3JsMA0GCSqGSIb3DQEBBQUAA4IB
AQA4p5zP1UtMZrLRslU6wXrprLWT3Rw4yeYYnayveaKb/MN9iKI95gQeAlObmSk00GU3EngH
Y3EscFOYfQY9rkZCqSFSx+gc04FFBxFDrjs28McrD6MIcuFcRYLxri0QXMZ5yrkCw1sHwZHp
6R0/CvVcz7RvHREM108BAs/0SccZoTh2z9Py6IZcr+Ye3KsYpyET3Zu8Lw2VV7z24DntjMN6
3GC3pnbrLxadzxdAk5AkWo23FsNQElSJaG9PqoKV8blk1XI8dVQAtD7YBGI40sCW7VaYPZ0G
tYdyGROQWMAN6gj1pUt9oeIlLbaobvq8u5Gahhc+cwMWNycKSyOQWf8eMYID7zCCA+sCAQEw
gZowgYIxCzAJBgNVBAYTAlVTMR4wHAYDVQQLExV3d3cueHJhbXBzZWN1cml0eS5jb20xJDAi
BgNVBAoTG1hSYW1wIFNlY3VyaXR5IFNlcnZpY2VzIEluYzEtMCsGA1UEAxMkWFJhbXAgR2xv
YmFsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMGUFdMSpl4OlaTTmFeAFWPEWz2MAkGBSsO
AwIaBQCgggIpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE0
MTEwMjIxMjU1MFowIwYJKoZIhvcNAQkEMRYEFP59w5PIZ68pYdO/1bQPt0/lfgFuMGwGCSqG
SIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggq
hkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgasG
CSsGAQQBgjcQBDGBnTCBmjCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNl
Y3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYD
VQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEwZQV0xKmXg6VpNO
YV4AVY8RbPYwga0GCyqGSIb3DQEJEAILMYGdoIGaMIGCMQswCQYDVQQGEwJVUzEeMBwGA1UE
CxMVd3d3LnhyYW1wc2VjdXJpdHkuY29tMSQwIgYDVQQKExtYUmFtcCBTZWN1cml0eSBTZXJ2
aWNlcyBJbmMxLTArBgNVBAMTJFhSYW1wIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
eQITBlBXTEqZeDpWk05hXgBVjxFs9jANBgkqhkiG9w0BAQEFAASCAQCIn0lDo2aw3i3wE4KB
esB8mvE1sMhzoRFUy7qJdcYomAJPLPXekkj6jzBMbJK2WeYCUMNyoCYDJcky46eDNCzMF6LS
K1J1FoKdUSlnEYlvFXxr9+Moi9nhy8cO+RlhNHb7Hczha5whAwLbi8djBgPF2VGx/9eHaBzx
eUbq7Mr+wt7dzhh4592jSHuNSkmaxSxe4YtbSUyuNa/nSFEIpND33f4So4ealvF+/I29ZLF3
UOu//EptnURtTUkIQPF74akiATNttXT4TV6+BFqiuUoAiTGFcHwl3gR3FKsumGv3ViXRHv8Q
xW9rYsex/s8B/nJgouLQ4cqumBmMW4wcr5Z9AAAAAAAA
--------------ms050409050400020609060103--


--===============7353093916242452595==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============7353093916242452595==--