From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Remote logging with autitd Date: Thu, 13 Nov 2014 21:44:53 -0500 Message-ID: <9904045.iPF9lTPz31@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Wouter van Verre Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com On Thursday, November 13, 2014 11:23:59 PM Wouter van Verre wrote: > However, in my plugin I only seems to receive data from the central (i.e. > local) server... The feed to audispd, right now, is before receiving remote events. Meaning that audispd only sees local events and never aggregate events...as things are now. > I draw this conclusion both because I see only one node name, and also > because I generate TTY events on the client server only (and they show in > /var/log/audit/audit.log as expected), and these do not show in the output > from my plugin. Is this the expected behaviour? Today, yes. > Are plugins only supposed to receive the locally generated audit events? If > it is, is there a way to forward the remotely generated data to a plugin on > the central server? Yes, and it would take some changes to the listening code to insert the events at the right point in the event loop. -Steve