[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] Add auditd listener and remote audit protocol



Hi LCB,

I hope I answer u correctly...

I would look in your /etc/audisp/audisp-remote.conf file and note the port you communicate on, as an alternate you can grab the port with "lsof -i -nP" or "netstat -taupe". Then you can use tcpdump to watch the connections.

#tcpdump -i eth0 port 1001 --> or what ever port you have setup to the remote data on and the correct nic.

Sounds like this could help u out.

Norman Mark St. Laurent
Conceras | Chief Technology Officer and ISSE
Phone:  703-965-4892
Email:  mstlaurent conceras com
Web:  http://www.conceras.com

Connect. Collaborate. Conceras.



LC Bruzenak wrote:
On Thu, 2008-08-14 at 19:31 -0500, LC Bruzenak wrote:
On Thu, 2008-08-14 at 20:27 -0400, Steve Grubb wrote:
On Thursday 14 August 2008 20:22:24 LC Bruzenak wrote:
I think you have a good point - this is the first cut and maybe
later on
institute a "replay daemon" or something which can send events on
reconnect.
Note that all audispd plugins take their input from stdin. At the
worst, if
you had the time hacks, you could
ausearch --start <time> --end <time> --raw | /sbin.audisp-remote

-Steve

Steve,

I have been doing this but I really cannot tell if the audisp-remote
connection succeeds; it returns "0" either way.
Would there be an easy way to return a non-zero failure indicator?

Thx,
LCB.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]