Re: [PATCH] Add auditd listener and remote audit protocol

Hi LCB, I hope I answer u correctly... I would look in your /etc/audisp/audisp-remote.conf file and note the port you communicate on, as an alternate you can grab the port with "lsof -i -nP" or "netstat -taupe". Then you can use tcpdump to watch the connections. #tcpdump -i eth0 port 1001 --> or what ever port you have setup to the remote data on and the correct nic. Sounds like this could help u out. Norman Mark St. Laurent Conceras | Chief Technology Officer and ISSE Phone: 703-965-4892 Email: mstlaurent(a)conceras.com Web: http://www.conceras.com Connect. Collaborate. Conceras. LC Bruzenak wrote: > On Thu, 2008-08-14 at 19:31 -0500, LC Bruzenak wrote: > >> On Thu, 2008-08-14 at 20:27 -0400, Steve Grubb wrote: >> >>> On Thursday 14 August 2008 20:22:24 LC Bruzenak wrote: >>> >>>> I think you have a good point - this is the first cut and maybe >>>> >> later on >> >>>> institute a "replay daemon" or something which can send events on >>>> reconnect. >>>> >>> Note that all audispd plugins take their input from stdin. At the >>> >> worst, if >> >>> you had the time hacks, you could >>> >>> ausearch --start <time> --end <time> --raw | /sbin.audisp-remote >>> >>> -Steve >>> > > Steve, > > I have been doing this but I really cannot tell if the audisp-remote > connection succeeds; it returns "0" either way. > Would there be an easy way to return a non-zero failure indicator? > > Thx, > LCB. >