Re: Remote logging with autitd
On Thursday, November 13, 2014 11:23:59 PM Wouter van Verre wrote:
However, in my plugin I only seems to receive data from the central
(i.e.
local) server...
The feed to audispd, right now, is before receiving remote events. Meaning
that audispd only sees local events and never aggregate events...as things are
now.
I draw this conclusion both because I see only one node name, and
also
because I generate TTY events on the client server only (and they show in
/var/log/audit/audit.log as expected), and these do not show in the output
from my plugin. Is this the expected behaviour?
Today, yes.
Are plugins only supposed to receive the locally generated audit
events? If
it is, is there a way to forward the remotely generated data to a plugin on
the central server?
Yes, and it would take some changes to the listening code to insert the events
at the right point in the event loop.
-Steve