1:23 p.m.
Hello to all:
I have Snare Agent and audit 1.5.2 running on a CentOS 5.0 box and a RHEL
5.0 server. I ideally would like audit logs to be sent to both the
system's local audit.log file and to a log server. I reviewed the
/etc/audit/auditd.conf file and tried to play with things and move things
around, but an active watch of my log server's /var/log/syslog and local
machine's audit.log does NOT show simultaneous activity, leading me to
think it is either one way or the other, and that simultaneous local and
remote logging is not possible.
Is there a way to get both?
Thanks.
Scott
1:37 p.m.
Do you REALLY want to do this? your filesystem
will just have more space taken up with duplicate
information.
Scott Ehrlich wrote:
Hello to all:
I have Snare Agent and audit 1.5.2 running on a CentOS 5.0 box and a RHEL
5.0 server. I ideally would like audit logs to be sent to both the
system's local audit.log file and to a log server. I reviewed the
/etc/audit/auditd.conf file and tried to play with things and move things
around, but an active watch of my log server's /var/log/syslog and local
machine's audit.log does NOT show simultaneous activity, leading me to
think it is either one way or the other, and that simultaneous local and
remote logging is not possible.
Is there a way to get both?
Thanks.
Scott
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
1:43 p.m.
Which version of Snare are you running? If it's on an RHEL 5 server, I would assume
version 1.3. If so, shouldn't you be modifying /etc/snare.conf in order to do this?
Ed Christiansen <edwardc(a)ll.mit.edu> wrote: Do you REALLY want to do this? your
filesystem
will just have more space taken up with duplicate
information.
Scott Ehrlich wrote:
Hello to all:
I have Snare Agent and audit 1.5.2 running on a CentOS 5.0 box and a RHEL
5.0 server. I ideally would like audit logs to be sent to both the
system's local audit.log file and to a log server. I reviewed the
/etc/audit/auditd.conf file and tried to play with things and move things
around, but an active watch of my log server's /var/log/syslog and local
machine's audit.log does NOT show simultaneous activity, leading me to
think it is either one way or the other, and that simultaneous local and
remote logging is not possible.
Is there a way to get both?
Thanks.
Scott
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
2:51 p.m.
I think Ed is correct. You should have a couple of lines in snare.conf
with the following.
file=<path to logfile>
network=<remote hostname or ip>:<port>
you can comment out either one or leave both. you may even be able to
specify more than one of each, but I haven't tried that.
kevin
On Tue, 2008-04-29 at 11:43 -0700, Greg Herrmann wrote:
Which version of Snare are you running? If it's on an RHEL 5
server,
I would assume version 1.3. If so, shouldn't you be
modifying /etc/snare.conf in order to do this?
Ed Christiansen <edwardc(a)ll.mit.edu> wrote:
Do you REALLY want to do this? your filesystem
will just have more space taken up with duplicate
information.
Scott Ehrlich wrote:
> Hello to all:
>
> I have Snare Agent and audit 1.5.2 running on a CentOS 5.0
box and a RHEL
> 5.0 server. I ideally would like audit logs to be sent to
both the
> system's local audit.log file and to a log server. I
reviewed the
> /etc/audit/auditd.conf file and tried to play with things
and move things
> around, but an active watch of my log
server's /var/log/syslog and local
> machine's audit.log does NOT show simultaneous activity,
leading me to
> think it is either one way or the other, and that
simultaneous local and
> remote logging is not possible.
>
> Is there a way to get both?
>
> Thanks.
>
> Scott
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
______________________________________________________________________
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try
it now.
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
2:01 p.m.
Scott Ehrlich wrote:
Hello to all:
I have Snare Agent and audit 1.5.2 running on a CentOS 5.0 box and a RHEL
5.0 server. I ideally would like audit logs to be sent to both the
system's local audit.log file and to a log server. I reviewed the
/etc/audit/auditd.conf file and tried to play with things and move things
around, but an active watch of my log server's /var/log/syslog and local
machine's audit.log does NOT show simultaneous activity, leading me to
think it is either one way or the other, and that simultaneous local and
remote logging is not possible.
Is there a way to get both?
Thanks.
Scott
It's not possibly directly. The kernel will log to syslog if there is no
auditd running but normally, with auditd running it'll log to auditd but
what you are trying to achieve is the reason the displatcher (audispd) was
created. If you don't want to use one of the existing modules, you could
easily create your own which just relays to the local syslog.
Tony
1:56 p.m.
On Tuesday 29 April 2008 02:23:34 pm Scott Ehrlich wrote:
I have Snare Agent and audit 1.5.2 running on a CentOS 5.0 box and a
RHEL
5.0 server. I ideally would like audit logs to be sent to both the
system's local audit.log file and to a log server.
We are working on this.
I reviewed the /etc/audit/auditd.conf file and tried to play with
things and
move things around, but an active watch of my log server's /var/log/syslog
and local machine's audit.log does NOT show simultaneous activity, leading
me to think it is either one way or the other, and that simultaneous local
and remote logging is not possible.
Is there a way to get both?
audispd is the audit event multiplexer. To get audit logs in
both /var/log/messages and /var/log/audit/audit.log,
edit /etc/audisp/plugins.d/syslog.conf and change active to yes. Then restart
the audit deamon. If you don't have /etc/audisp/plugins.d/syslog.conf, you
need to upgrade to a newer audit package.
-Steve
6089
days inactive
6089
days old
linux-audit@lists.linux-audit.osci.io
5 comments
6 participants
participants (6)
-
Ed Christiansen -
Greg Herrmann -
Kevin Boyce -
Scott Ehrlich -
Steve Grubb -
Tony Jones