Hi Steve, sorry for bugging you directly, nearly 1 year ago (May 10th to be exact) we collaborated, for my benefit on how to configure audispatch on "RHEL6" machines.

It seems that my instructions that I kept from 1 year ago are no longer valid; there are new files in existence and some old ones no longer in existence for both RHEL6 and RHEL7:

[OLD]

/etc/audisp/audisp-remote.conf,

/etc/audisp/plugins.d/au-remote.conf

[NEW]

/etc/audisp/plugins.d/af_unix.conf

/etc/audisp/plugins.d/syslog.conf

Not sure how to find the appropriate man pages to configure this setup properly. I am attaching what I wrote 1 year ago; and hope that you can push me in the direction of a good walk-through for audispatch of the modern revision (audit-2.4.5-3 on RHEL6, and audit-2.4.1-5.el7).

I have to stick with these revision for a little while since we are going through a Project Management Stage gate, impacting update decisions.

--------------------------
Warron French