Additional info:

I doubt that the daemon is only listening on localhost and not accepting remote.

# lsof -i :6999

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

audisp-re 9624 root 3u IPv4 37642 0t0 TCP 192.168.103.7:6999->192.168.103.7:6999 (ESTABLISHED)

Btw, no iptables is running on the host. Also no tcpwrappers.

Regards

Best Regards, Rituraj B

On Tue, Oct 3, 2017 at 12:25 AM, Rituraj Buddhisagar <rituraj@vayana.com> wrote:

Hi

I tried my best to configure the audisp-remote.
I am getting below error on the client machine in /var/log/syslog.

Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7: Connection refused

192.168.103.7 is the IP address of the central log server.

Notes: My settings are below:

on server as well on client:
/etc/audisp/audisp-remote

remote_server = 192.168.103.7
port = 6999
local_port = 6999
transport = tcp
queue_file = /var/spool/audit/remote.log
mode = immediate
queue_depth = 2048
format = ascii
network_retry_time = 100

I have enabled name_format=HOSTNAME only in one place (in /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf

entries in auditd.conf:

rtcp_listen_port = 6999
tcp_listen_queue = 5
tcp_max_per_addr = 10
tcp_client_ports = 0-65535
tcp_client_max_idle = 0

I see the server is listening on the port 6999 as below but its not accepting client request.
root@logs:/etc# lsof -i :6999
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
audisp-re 9091 root 3u IPv4 33671 0t0 TCP 192.168.103.7:6999->192.168.103.7:6999 (ESTABLISHED)

Best Regards,
Rituraj B