Re: audit collector startup help
On Tue, 2008-09-09 at 14:36 -0400, DJ Delorie wrote:
> Is there a HOWTO for activating the 1.7.5 aggregating feature?
Just the man pages.
> I believe that the collector needs to uncomment the lines
> in /etc/auditd/auditd.conf and the senders/clients need to set
> active=yes, remote=<IP-address> in the audisp-remote.conf file.
The collector needs the listener configured in /etc/audit/auditd.conf:
tcp_listen_port = 1237
The clients need the audisp-remote module enabled and configured:
/etc/audisp/plugins.d/au-remote.conf:
active = yes
/etc/audisp/audisp-remote.conf:
remote_server = 192.16.1.12 (your server's IP, not mine ;)
port = 1237 (or use some other port, up to you)
transport = tcp
Additional options:
format = managed
network_retry_time = 1
max_tries_per_record = 10
max_time_per_record = 7
DJ,
Thanks for the above. The network_retry_time (et. al.) must be in the
later version.
I have: audispd-plugins-1.7.5-1.fc9.x86_64 ; there is no mention of that
one in the man page and I get this message on startup:
Sep 12 11:43:48 comms audisp-remote: Unknown keyword "network_retry_time" in
line 14 of /etc/audisp/audisp-remote.conf
Sep 12 11:43:48 comms auditd[4411]: Init complete, auditd 1.7.5 listening for events
(startup state enable)
Sep 12 11:43:48 comms audispd: plugin /sbin/audisp-remote terminated unexpectedly
So I Removed the timing parameters.
Now I get this:
...
Sep 12 11:46:20 comms audisp-remote: lost/losing sync, bad magic number
Sep 12 11:46:20 comms audisp-remote: lost/losing sync, bad magic number
...
I do not see any errors in the message log on the collector.
Any ideas?
Thx again!
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com