Re: Audisp-remote - connection refused.
On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote:
Hi
I tried my best to configure the audisp-remote.
I am getting below error on the client machine in /var/log/syslog.
Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7:
Connection refused
On the server, what do you get for:
ausearch --start recent -m DAEMON_ACCEPT -i
The server side records some information about why it did not allow a
connection.
192.168.103.7 is the IP address of the central log server.
Notes: My settings are below:
on server as well on client:
/etc/audisp/audisp-remote
remote_server = 192.168.103.7
port = 6999
local_port = 6999
transport = tcp
queue_file = /var/spool/audit/remote.log
mode = immediate
queue_depth = 2048
format = ascii
network_retry_time = 100
This is probably not your problem but managed is the normal setting for
format. And do you have enable_krb5 set to no?
I have enabled name_format=HOSTNAME only in one place (in
/etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf
entries in auditd.conf:
rtcp_listen_port = 6999
tcp_listen_queue = 5
tcp_max_per_addr = 10
tcp_client_ports = 0-65535
tcp_client_max_idle = 0
What do you have for use_libwrap and enable_krb5?
The ausearcn info from the aggregating server should tell the reason why the
connection is rejected.
-Steve
I see the server is listening on the port 6999 as below but its not
accepting client request.
root@logs:/etc# lsof -i :6999
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
audisp-re 9091 root 3u IPv4 33671 0t0 TCP 192.168.103.7:6999->
192.168.103.7:6999 (ESTABLISHED)
Best Regards,
Rituraj B