[PATCH] Add auditd listener and remote audit protocol
Norman Mark St. Laurent
mstlaurent at conceras.com
Tue Sep 29 18:51:04 UTC 2009
Hi LCB,
I hope I answer u correctly...
I would look in your /etc/audisp/audisp-remote.conf file and note the
port you communicate on, as an alternate you can grab the port with
"lsof -i -nP" or "netstat -taupe". Then you can use tcpdump to watch
the connections.
#tcpdump -i eth0 port 1001 --> or what ever port you have setup to
the remote data on and the correct nic.
Sounds like this could help u out.
Norman Mark St. Laurent
Conceras | Chief Technology Officer and ISSE
Phone: 703-965-4892
Email: mstlaurent at conceras.com
Web: http://www.conceras.com
Connect. Collaborate. Conceras.
LC Bruzenak wrote:
> On Thu, 2008-08-14 at 19:31 -0500, LC Bruzenak wrote:
>
>> On Thu, 2008-08-14 at 20:27 -0400, Steve Grubb wrote:
>>
>>> On Thursday 14 August 2008 20:22:24 LC Bruzenak wrote:
>>>
>>>> I think you have a good point - this is the first cut and maybe
>>>>
>> later on
>>
>>>> institute a "replay daemon" or something which can send events on
>>>> reconnect.
>>>>
>>> Note that all audispd plugins take their input from stdin. At the
>>>
>> worst, if
>>
>>> you had the time hacks, you could
>>>
>>> ausearch --start <time> --end <time> --raw | /sbin.audisp-remote
>>>
>>> -Steve
>>>
>
> Steve,
>
> I have been doing this but I really cannot tell if the audisp-remote
> connection succeeds; it returns "0" either way.
> Would there be an easy way to return a non-zero failure indicator?
>
> Thx,
> LCB.
>
>
More information about the Linux-audit
mailing list