Hi Steve / List 

Now, I have built auditd from source as per the mail thread and then also created a startup script.

The auditd is starting successfully. 

The client is able to connect to the aggregating server. 

node=guslogs type=DAEMON_ACCEPT msg=audit(1507125123.240:7272): addr=192.168.103.2 port=60 res=success


I have made the necessary change in the server in /etc/audit/auditd.conf

log_format = NOLOG

I do not see any logs being populated - I checked log file on client, the server - also the /var/spool/audit/remote.log on the client.
On the server side /var/spool/audit/remote.log is empty (I am not sure if this is something I should be checking at all)

I am clueless as to what is happening. Is there some way to debug this? Where are these logs getting lost?
When change the log_format back to RAW I do see the logs getting created on the client. 

I did my best reading on net and debugging this - but no success. Please help. 




On Wed, Oct 4, 2017 at 1:52 AM, Steve Grubb <sgrubb@redhat.com> wrote:
On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote:
> Steve,
>
> Here is the relevant discussion on disabling the tcp listener on Ubuntu.
> https://www.redhat.com/archives/linux-audit/2012-September/msg00027.html
>
> I do not know what exactly caused change - but now I think it should be
> enabled in distributions.
>
> Please let me know.
>
> Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from source
> now. Still audispd is not started now - what is the way / sequence to start
> auditd and audispd - if you can point me to some reference or a startup
> script will help.

Since you installed in a non-standard location, you probably need to adjust
paths in the config files.

What I would recommend is not to build and install by hand, but to use their
package manager to build a new package with listening enabled. The ./configure
script takes a --disable-listener parameter. So, its probably as simple as
deleting that in the source package and rebuilding.

That said, I have no idea how to build a package on Debian or Ubuntu.

-Steve