From mboxrd@z Thu Jan 1 00:00:00 1970 From: Scott Ehrlich Subject: Help with auditd.conf Date: Tue, 29 Apr 2008 14:23:34 -0400 (EDT) Message-ID: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m3TINs9m010956 for ; Tue, 29 Apr 2008 14:23:54 -0400 Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m3TINfos009400 for ; Tue, 29 Apr 2008 14:23:42 -0400 Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id m3TINZtT003132 for ; Tue, 29 Apr 2008 14:23:35 -0400 (EDT) Received: from no-knife.mit.edu (NO-KNIFE.MIT.EDU [18.7.18.73]) (authenticated bits=56) (User authenticated as scott@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id m3TINYEE018425 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Tue, 29 Apr 2008 14:23:35 -0400 (EDT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Hello to all: I have Snare Agent and audit 1.5.2 running on a CentOS 5.0 box and a RHEL 5.0 server. I ideally would like audit logs to be sent to both the system's local audit.log file and to a log server. I reviewed the /etc/audit/auditd.conf file and tried to play with things and move things around, but an active watch of my log server's /var/log/syslog and local machine's audit.log does NOT show simultaneous activity, leading me to think it is either one way or the other, and that simultaneous local and remote logging is not possible. Is there a way to get both? Thanks. Scott