More info on remote logging

[Konstantin Ryabitsev]

Hi, all:

I'm interested in sending audit logs to a central logging server. One
option is using the builtin syslog plugin for audisp, but I also see
audisp-remote that mentions sending logs to a remote server.
Unfortunately, I'm having trouble finding more information about that
(such as "what kind of a remote server" and "how do you set up a
remote server").

Also a suggestion -- the syslog plugin for audisp doesn't specify the
facility, so the default facility (LOG_USER) is used. Perhaps this can
be made configurable so I could configure syslog to only send audit
logs to remote without duplicating them in /var/log/messages (e.g. set
facility to local9 and only send it to a remote server, not locally)?
Currently that's not possible and I end up wasting space by having
audit logs both in /var/log/audit/audit.log and in /var/log/messages.
Turning off af_unix is an option, but that has a significant drawback
of complicating ausearch/aureport.

Regards,
-- 
McGill University IT Security
Konstantin "Kay" Ryabitsev
Montréal, Québec