From mboxrd@z Thu Jan 1 00:00:00 1970 From: leam hall Subject: LOG_WARN or LOG_WARNING? Date: Tue, 4 Oct 2016 10:10:31 -0400 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3832219150855953562==" Return-path: Received: from mx1.redhat.com (ext-mx03.extmail.prod.ext.phx2.redhat.com [10.5.110.27]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u94EAXtk013102 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 4 Oct 2016 10:10:33 -0400 Received: from mail-yw0-f173.google.com (mail-yw0-f173.google.com [209.85.161.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E4D097D0FC for ; Tue, 4 Oct 2016 14:10:32 +0000 (UTC) Received: by mail-yw0-f173.google.com with SMTP id i129so131422223ywb.0 for ; Tue, 04 Oct 2016 07:10:32 -0700 (PDT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============3832219150855953562== Content-Type: multipart/alternative; boundary=94eb2c18ab52a0dd54053e0a9faa --94eb2c18ab52a0dd54053e0a9faa Content-Type: text/plain; charset=UTF-8 For /etc/audisp/plugins.d/syslog.conf, is "LOG_WARN" an accpeted arg, or does it need to be "LOG_WARNING"? Thanks! Leam -- Mind on a Mission --94eb2c18ab52a0dd54053e0a9faa Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
For /etc/audisp/plugins.d/syslog.conf, is "LOG_W= ARN" an accpeted arg, or does it need to be "LOG_WARNING"?

Thanks!

Leam

--
--94eb2c18ab52a0dd54053e0a9faa-- --===============3832219150855953562== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3832219150855953562==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ryan Sawhill Subject: Re: LOG_WARN or LOG_WARNING? Date: Tue, 4 Oct 2016 10:29:30 -0400 Message-ID: References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4878654933276444912==" Return-path: Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com [10.5.110.32]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u94EU8AG010987 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 4 Oct 2016 10:30:09 -0400 Received: from mail-oi0-f70.google.com (mail-oi0-f70.google.com [209.85.218.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D9C69C0099E4 for ; Tue, 4 Oct 2016 14:30:08 +0000 (UTC) Received: by mail-oi0-f70.google.com with SMTP id z131so82498882oig.0 for ; Tue, 04 Oct 2016 07:30:08 -0700 (PDT) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: leam hall Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============4878654933276444912== Content-Type: multipart/alternative; boundary=94eb2c115a7aaf6936053e0ae44d --94eb2c115a7aaf6936053e0ae44d Content-Type: text/plain; charset=UTF-8 On Tue, Oct 4, 2016 at 10:10 AM, leam hall wrote: > For /etc/audisp/plugins.d/syslog.conf, is "LOG_WARN" an accpeted arg, or > does it need to be "LOG_WARNING"? > You must use real facility names as documented in syslog(3), so: LOG_WARNING. --94eb2c115a7aaf6936053e0ae44d Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On T= ue, Oct 4, 2016 at 10:10 AM, leam hall <leamhall@gmail.com>= wrote:
For /etc/au= disp/plugins.d/syslog.conf, is "LOG_WARN" an accpeted arg, o= r does it need to be "LOG_WARNING"?
=
You must use real facility names as documented in syslog(3),= so: LOG_WARNING.
--94eb2c115a7aaf6936053e0ae44d-- --===============4878654933276444912== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============4878654933276444912==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: leam hall Subject: Re: LOG_WARN or LOG_WARNING? Date: Tue, 4 Oct 2016 10:31:04 -0400 Message-ID: References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2441370248403823926==" Return-path: Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com [10.5.110.26]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u94EV6IL015608 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 4 Oct 2016 10:31:06 -0400 Received: from mail-yw0-f169.google.com (mail-yw0-f169.google.com [209.85.161.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BE8A22F2FB6 for ; Tue, 4 Oct 2016 14:31:05 +0000 (UTC) Received: by mail-yw0-f169.google.com with SMTP id i129so132064238ywb.0 for ; Tue, 04 Oct 2016 07:31:05 -0700 (PDT) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============2441370248403823926== Content-Type: multipart/alternative; boundary=94eb2c0815b4186d74053e0ae9b2 --94eb2c0815b4186d74053e0ae9b2 Content-Type: text/plain; charset=UTF-8 Ryan, thanks! On Tue, Oct 4, 2016 at 10:29 AM, Ryan Sawhill wrote: > On Tue, Oct 4, 2016 at 10:10 AM, leam hall wrote: > >> For /etc/audisp/plugins.d/syslog.conf, is "LOG_WARN" an accpeted arg, or >> does it need to be "LOG_WARNING"? >> > > You must use real facility names as documented in syslog(3), so: > LOG_WARNING. > -- Mind on a Mission --94eb2c0815b4186d74053e0ae9b2 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Ryan, thanks!

On Tue, Oct 4, 2016 at 10:29 AM, Ryan Sawhill <rsawh= ill@redhat.com> wrote:
On= Tue, Oct 4, 2016 at 10:10 AM, leam hall <leamhall@gmail.com> wrote:
For /etc/audisp/plugins= .d/syslog.conf, is "LOG_WARN" an accpeted arg, or does it ne= ed to be "LOG_WARNING"?

You must use real facility names as documented in syslog(3), so: = LOG_WARNING.



--
--94eb2c0815b4186d74053e0ae9b2-- --===============2441370248403823926== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============2441370248403823926==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: LOG_WARN or LOG_WARNING? Date: Tue, 04 Oct 2016 10:36:51 -0400 Message-ID: <5530071.2YUX2fhZks@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, October 4, 2016 10:10:31 AM EDT leam hall wrote: > For /etc/audisp/plugins.d/syslog.conf, is "LOG_WARN" an accpeted arg, or > does it need to be "LOG_WARNING"? LOG_WARNING. https://fedorahosted.org/audit/browser/trunk/audisp/audispd-builtins.c#L279 -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: leam hall Subject: Re: LOG_WARN or LOG_WARNING? Date: Tue, 4 Oct 2016 10:58:34 -0400 Message-ID: References: <5530071.2YUX2fhZks@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8116114750479700079==" Return-path: Received: from mx1.redhat.com (ext-mx09.extmail.prod.ext.phx2.redhat.com [10.5.110.38]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u94EwaIc003393 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 4 Oct 2016 10:58:36 -0400 Received: from mail-yw0-f171.google.com (mail-yw0-f171.google.com [209.85.161.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 07876E1824 for ; Tue, 4 Oct 2016 14:58:36 +0000 (UTC) Received: by mail-yw0-f171.google.com with SMTP id t193so53446353ywc.2 for ; Tue, 04 Oct 2016 07:58:35 -0700 (PDT) In-Reply-To: <5530071.2YUX2fhZks@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============8116114750479700079== Content-Type: multipart/alternative; boundary=001a114e533677941c053e0b4bad --001a114e533677941c053e0b4bad Content-Type: text/plain; charset=UTF-8 Sort of a followup question. I'm surprised adding "audit.none" to the "/var/log/messages" line of rsyslog.conf (RHEL 6) works. I didn't think audit was a full "facility" in whatever rsyslog looks at. Am I more confused than normal? Thanks! Leam On Tue, Oct 4, 2016 at 10:36 AM, Steve Grubb wrote: > On Tuesday, October 4, 2016 10:10:31 AM EDT leam hall wrote: > > For /etc/audisp/plugins.d/syslog.conf, is "LOG_WARN" an accpeted arg, or > > does it need to be "LOG_WARNING"? > > LOG_WARNING. > > https://fedorahosted.org/audit/browser/trunk/audisp/ > audispd-builtins.c#L279 > > -Steve > -- Mind on a Mission --001a114e533677941c053e0b4bad Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Sort of a followup question. I'm surprised adding= "audit.none" to the "/var/log/messages" line of rsyslo= g.conf (RHEL 6) works. I didn't think audit was a full "facility&q= uot; in whatever rsyslog looks at. Am I more confused than normal?

Thanks!

Leam

=

On Tue, Oct= 4, 2016 at 10:36 AM, Steve Grubb <sgrubb@redhat.com> wrote:=
On Tuesday, October 4, 2016 10:10:= 31 AM EDT leam hall wrote:
> For /etc/audisp/plugins.d/syslog.conf, is "LOG_WARN" an= accpeted arg, or
> does it need to be "LOG_WARNING"?

LOG_WARNING.

https://fedorahosted.org/= audit/browser/trunk/audisp/audispd-builtins.c#L279

-Steve



--
--001a114e533677941c053e0b4bad-- --===============8116114750479700079== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============8116114750479700079==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ryan Sawhill Subject: Re: LOG_WARN or LOG_WARNING? Date: Tue, 4 Oct 2016 11:04:35 -0400 Message-ID: References: <5530071.2YUX2fhZks@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8095329857322192049==" Return-path: Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com [10.5.110.26]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u94F5Iiu019090 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 4 Oct 2016 11:05:18 -0400 Received: from mail-oi0-f72.google.com (mail-oi0-f72.google.com [209.85.218.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 26533BCFEC for ; Tue, 4 Oct 2016 15:05:18 +0000 (UTC) Received: by mail-oi0-f72.google.com with SMTP id d185so63026104oig.1 for ; Tue, 04 Oct 2016 08:05:18 -0700 (PDT) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: leam hall Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============8095329857322192049== Content-Type: multipart/alternative; boundary=001a113d2c022aedb9053e0b6274 --001a113d2c022aedb9053e0b6274 Content-Type: text/plain; charset=UTF-8 On Tue, Oct 4, 2016 at 10:58 AM, leam hall wrote: > Sort of a followup question. I'm surprised adding "audit.none" to the > "/var/log/messages" line of rsyslog.conf (RHEL 6) works. I didn't think > audit was a full "facility" in whatever rsyslog looks at. Am I more > confused than normal? > It's not. If you look at your main log you should see a message from rsyslogd saying something like "unknown facility 'audit'". --001a113d2c022aedb9053e0b6274 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On T= ue, Oct 4, 2016 at 10:58 AM, leam hall <leamhall@gmail.com>= wrote:
Sort of a f= ollowup question. I'm surprised adding "audit.none" to the &q= uot;/var/log/messages" line of rsyslog.conf (RHEL 6) works. I didn'= ;t think audit was a full "facility" in whatever rsyslog looks at= . Am I more confused than normal?

It's not. If you look at your main log you should see a message from= rsyslogd saying something like "unknown facility 'audit'"= ;.
--001a113d2c022aedb9053e0b6274-- --===============8095329857322192049== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============8095329857322192049==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: leam hall Subject: Re: LOG_WARN or LOG_WARNING? Date: Tue, 4 Oct 2016 11:29:20 -0400 Message-ID: References: <5530071.2YUX2fhZks@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8064351174996912010==" Return-path: Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com [10.5.110.32]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u94FTMek002889 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 4 Oct 2016 11:29:22 -0400 Received: from mail-yw0-f180.google.com (mail-yw0-f180.google.com [209.85.161.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CCDC9C008346 for ; Tue, 4 Oct 2016 15:29:21 +0000 (UTC) Received: by mail-yw0-f180.google.com with SMTP id u124so41385923ywg.3 for ; Tue, 04 Oct 2016 08:29:21 -0700 (PDT) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============8064351174996912010== Content-Type: multipart/alternative; boundary=94eb2c18ab527c9fe4053e0bb9c3 --94eb2c18ab527c9fe4053e0bb9c3 Content-Type: text/plain; charset=UTF-8 Hey Ryan, If I put "audit.none" in /etc/rsyslog.conf for the /var/log/messages line, it prevents audisp from logging there even though audisp to syslog is turned on. Our end state is pretty simple, in theory. We want to have 1 copy of audit events on the system for auditing and send a remote copy elsewhere. On Tue, Oct 4, 2016 at 11:04 AM, Ryan Sawhill wrote: > On Tue, Oct 4, 2016 at 10:58 AM, leam hall wrote: > >> Sort of a followup question. I'm surprised adding "audit.none" to the >> "/var/log/messages" line of rsyslog.conf (RHEL 6) works. I didn't think >> audit was a full "facility" in whatever rsyslog looks at. Am I more >> confused than normal? >> > > It's not. If you look at your main log you should see a message from > rsyslogd saying something like "unknown facility 'audit'". > -- Mind on a Mission --94eb2c18ab527c9fe4053e0bb9c3 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hey Ryan,

If I put "aud= it.none" in /etc/rsyslog.conf for the /var/log/messages line, it preve= nts audisp from logging there even though audisp to syslog is turned on.

Our end state is pretty simple, in theory. We want t= o have 1 copy of audit events on the system for auditing and send a remote = copy elsewhere.

On Tue, Oct 4, 2016 at 11:04 AM, Ryan Sawhill = <rsawhill@redha= t.com> wrote:
On Tue, Oct= 4, 2016 at 10:58 AM, leam hall <leamhall@gmail.com> wrote:=
Sort of a followup question. I&#= 39;m surprised adding "audit.none" to the "/var/log/messages= " line of rsyslog.conf (RHEL 6) works. I didn't think audit was a = full "facility" in whatever rsyslog looks at. Am I more confused = than normal?

It's no= t. If you look at your main log you should see a message from rsyslogd sayi= ng something like "unknown facility 'audit'".
<= /div>



--
--94eb2c18ab527c9fe4053e0bb9c3-- --===============8064351174996912010== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============8064351174996912010==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ryan Sawhill Subject: Re: LOG_WARN or LOG_WARNING? Date: Tue, 4 Oct 2016 11:51:36 -0400 Message-ID: References: <5530071.2YUX2fhZks@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7286611213093548029==" Return-path: Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com [10.5.110.32]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u94FqCo3006417 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 4 Oct 2016 11:52:12 -0400 Received: from mail-oi0-f72.google.com (mail-oi0-f72.google.com [209.85.218.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 377D2C057FA6 for ; Tue, 4 Oct 2016 15:52:12 +0000 (UTC) Received: by mail-oi0-f72.google.com with SMTP id z131so89171870oig.0 for ; Tue, 04 Oct 2016 08:52:12 -0700 (PDT) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: leam hall Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============7286611213093548029== Content-Type: multipart/alternative; boundary=001a1140a9265170c1053e0c0afb --001a1140a9265170c1053e0c0afb Content-Type: text/plain; charset=UTF-8 On Tue, Oct 4, 2016 at 11:29 AM, leam hall wrote: > If I put "audit.none" in /etc/rsyslog.conf for the /var/log/messages line, > it prevents audisp from logging there even though audisp to syslog is > turned on. > I find that hard to believe, since "audit" is not a facility name and that's what rsyslog is expecting and the message I wrote IS what rsyslog prints when you give an invalid facility name, but okay. > Our end state is pretty simple, in theory. We want to have 1 copy of audit > events on the system for auditing and send a remote copy elsewhere. > Hopefully Steve and friends won't mind that we're so off-topic here, but I would approach that differently if I were you. Assuming you're using the rsyslog.conf that comes with RHEL (which includes /etc/rsyslog.d/*.conf before the main directives like the /var/log/messages action line): echo -e 'if $programname == "audispd" then @remotehost\n& ~' > /etc/rsyslog.d/audit.conf Note that if you change the syslog plugin to use one of the local facility names (and not just change the priority as we discussed earlier), then you could have rsyslog filter on that instead of the programname -- benefit being that it will get you closer to only matching on actual audit records. All that said, if you really want to send audit records to a central host, I hope you've at least considered using auditd's own native functionality. --001a1140a9265170c1053e0c0afb Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On T= ue, Oct 4, 2016 at 11:29 AM, leam hall <leamhall@gmail.com>= wrote:
If I put = "audit.none" in /etc/rsyslog.conf for the /var/log/messages line,= it prevents audisp from logging there even though audisp to syslog is turn= ed on.

I find that hard to believe, s= ince "audit" is not a facility name and that's what rsyslog i= s expecting and the message I wrote IS what rsyslog prints when you give an= invalid facility name, but okay.

=C2=A0
Our end state is pre= tty simple, in theory. We want to have 1 copy of audit events on the system= for auditing and send a remote copy elsewhere.
Hopefully Steve and friends won't min= d that we're so off-topic here, but I would approach that differently i= f I were you.

Assuming you're u= sing the rsyslog.conf that comes with RHEL (which includes /etc/rsyslog.d/*= .conf before the main directives like the /var/log/messages action line):
=C2=A0 echo -e 'if $programname =3D=3D "audispd" then @= remotehost\n& ~' > /etc/rsyslog.d/audit.conf

Note that if you change the syslog plugin to use one o= f the local facility names (and not just change the priority as we discusse= d earlier), then you could have rsyslog filter on that instead of the progr= amname -- benefit being that it will get you closer to only matching on act= ual audit records.

All that said, i= f you really want to send audit records to a central host, I hope you'v= e at least considered using auditd's own native functionality.
--001a1140a9265170c1053e0c0afb-- --===============7286611213093548029== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============7286611213093548029==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: leam hall Subject: Re: LOG_WARN or LOG_WARNING? Date: Tue, 4 Oct 2016 12:00:48 -0400 Message-ID: References: <5530071.2YUX2fhZks@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6207995578143048351==" Return-path: Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com [10.5.110.26]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u94G0pOe012538 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 4 Oct 2016 12:00:51 -0400 Received: from mail-yw0-f169.google.com (mail-yw0-f169.google.com [209.85.161.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 00DEB284072 for ; Tue, 4 Oct 2016 16:00:49 +0000 (UTC) Received: by mail-yw0-f169.google.com with SMTP id g192so134821896ywh.1 for ; Tue, 04 Oct 2016 09:00:49 -0700 (PDT) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============6207995578143048351== Content-Type: multipart/alternative; boundary=94eb2c07f006067fca053e0c2a30 --94eb2c07f006067fca053e0c2a30 Content-Type: text/plain; charset=UTF-8 On Tue, Oct 4, 2016 at 11:51 AM, Ryan Sawhill wrote: > On Tue, Oct 4, 2016 at 11:29 AM, leam hall wrote: > >> If I put "audit.none" in /etc/rsyslog.conf for the /var/log/messages >> line, it prevents audisp from logging there even though audisp to syslog is >> turned on. >> > > I find that hard to believe, since "audit" is not a facility name and > that's what rsyslog is expecting and the message I wrote IS what rsyslog > prints when you give an invalid facility name, but okay. > I found it odd as well, but it does seem to work. > All that said, if you really want to send audit records to a central host, > I hope you've at least considered using auditd's own native functionality. > Wasn't aware of it. Pointer to a doc? Thanks! Leam -- Mind on a Mission --94eb2c07f006067fca053e0c2a30 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Tue, Oct 4, 2016 at 11:51 AM, Ryan Sawhill &= lt;rsawhill@redhat= .com> wrote:
On Tue, Oct 4, 2016 at 11= :29 AM, leam hall <leamhall@gmail.com> wrote:
If I put "audit.none" in /etc/rsyslog.conf for the /v= ar/log/messages line, it prevents audisp from logging there even though aud= isp to syslog is turned on.

I = find that hard to believe, since "audit" is not a facility name a= nd that's what rsyslog is expecting and the message I wrote IS what rsy= slog prints when you give an invalid facility name, but okay.

I found it odd as well, but = it does seem to work.

=C2=A0
All that said, if you real= ly want to send audit records to a central host, I hope you've at least= considered using auditd's own native functionality.

Wasn't aware of it. P= ointer to a doc?

Thanks!

Leam

--
--94eb2c07f006067fca053e0c2a30-- --===============6207995578143048351== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============6207995578143048351==--