Re: LOG_WARN or LOG_WARNING?

On Tue, Oct 4, 2016 at 11:29 AM, leam hall <leamhall(a)gmail.com&gt; wrote: I find that hard to believe, since "audit" is not a facility name and that's what rsyslog is expecting and the message I wrote IS what rsyslog prints when you give an invalid facility name, but okay. Hopefully Steve and friends won't mind that we're so off-topic here, but I would approach that differently if I were you. Assuming you're using the rsyslog.conf that comes with RHEL (which includes /etc/rsyslog.d/*.conf before the main directives like the /var/log/messages action line): echo -e 'if $programname == "audispd" then @remotehost\n& ~' > /etc/rsyslog.d/audit.conf Note that if you change the syslog plugin to use one of the local facility names (and not just change the priority as we discussed earlier), then you could have rsyslog filter on that instead of the programname -- benefit being that it will get you closer to only matching on actual audit records. All that said, if you really want to send audit records to a central host, I hope you've at least considered using auditd's own native functionality.