audit collector startup help
DJ Delorie
dj at redhat.com
Sat Sep 13 00:04:41 UTC 2008
> After looking at this I had a hunch - the collector machine is 32-bit,
> the sender 64-bit.
And the magic number has the high bit set. I wonder if there's a sign
extension in there somewhere?
Can you try between two 32 bit hosts?
> I assume that all events on the sender make it to the collector. Is this
> true always?
I didn't add any filters - anything that makes it to audisp-remote
eventually gets queued in the server's event queue.
> But I cannot see this event on the collector.
All remote messages will have "node=" in them somewhere. Can you grep
for that manually in your server's audit logs? I wonder if ausearch
is skipping them.
More information about the Linux-audit
mailing list