On Tue, May 18, 2010 at 10:43 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Tuesday 18 May 2010 10:27:32 am Konstantin Ryabitsev wrote:
> I'm interested in sending audit logs to a central logging server. One
> option is using the builtin syslog plugin for audisp, but I also see
> audisp-remote that mentions sending logs to a remote server.
> Unfortunately, I'm having trouble finding more information about that
> (such as "what kind of a remote server" and "how do you set up a
> remote server").
auditd is the remote server. Look at the auditd.conf man page starting at the
tcp_listen_port entry to see what options you have available. One thing to
note, I do not enable the kerberos support right now on any Red Hat or Fedora
release.
Ah, okay -- I suspected as such but wanted to make sure. Is there a
way to send audit data encrypted if kerberos is not enabled?
> Also a suggestion -- the syslog plugin for audisp doesn't
specify the
> facility, so the default facility (LOG_USER) is used. Perhaps this can
> be made configurable so I could configure syslog to only send audit
> logs to remote without duplicating them in /var/log/messages (e.g. set
> facility to local9 and only send it to a remote server, not locally)?
Sure. If you want to file a RFE bugzilla, please do.
Created as
https://bugzilla.redhat.com/show_bug.cgi?id=593340
Thanks!
--
McGill University IT Security
Konstantin "Kay" Ryabitsev
Montréal, Québec