Re: auditd.conf/audispd.conf question...
On Thursday, October 07, 2010 09:54:10 am Steve Grubb wrote:
> I want to log both locally and to a central server. So which
file should
> this be specified in /etc/audit/auditd.conf or /etc/audisp/audispd.conf
> or both?
Both. They are independent of each other.
Let me clarify. If you want the node name in both places, then you need to put
it in both places. At a minimum, you would want it in audispd.conf so that the
central logger knows where things come from. But you can leave it off the
auditd.conf to save disk space unless you need it to match.
-Steve