RE: Remote logging with autitd

That fixed that issue. Many thanks! I'm going to have a look at implementing the plugin tomorrow. Cheers! Date: Sun, 2 Nov 2014 15:25:50 -0600 From: lenny(a)magitekltd.com To: linux-audit(a)redhat.com Subject: Re: Remote logging with autitd On 11/02/2014 03:16 PM, Wouter van Verre wrote: Hi Steve, Many thanks for your response. I will be reading the presentation and the examples in the tarball and go from there for implementing my processing plugin. Regarding the logging to disk on the central server: I have node names set up for both servers now and am now getting the following behaviour: On the client server I can see the events being prefixed with node=Elephant in the log on that server. On the central server I can see that local events are being prefixed with node=Mongoose. However, events that were sent to the central server by the client server show up in the central server's log with node=localhost.localdomain. So it seems that the node information gets lost between the client and central server? Would you have any idea why the node information is lost? Many thanks, Wouter Check /etc/audisp/audispd.conf on your client. Look at the line with "name_format=" and it probably says "hostname" (case insensitive). Test this by checking "% hostname" command on your client. See the audispd.conf man page for more info. LCB -- LC (Lenny) Bruzenak lenny(a)magitekltd.com -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit