[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]


On Tue, Oct 4, 2016 at 11:29 AM, leam hall <leamhall gmail com> wrote:
If I put "audit.none" in /etc/rsyslog.conf for the /var/log/messages line, it prevents audisp from logging there even though audisp to syslog is turned on.

I find that hard to believe, since "audit" is not a facility name and that's what rsyslog is expecting and the message I wrote IS what rsyslog prints when you give an invalid facility name, but okay.

Our end state is pretty simple, in theory. We want to have 1 copy of audit events on the system for auditing and send a remote copy elsewhere.

Hopefully Steve and friends won't mind that we're so off-topic here, but I would approach that differently if I were you.

Assuming you're using the rsyslog.conf that comes with RHEL (which includes /etc/rsyslog.d/*.conf before the main directives like the /var/log/messages action line):

  echo -e 'if $programname == "audispd" then @remotehost\n& ~' > /etc/rsyslog.d/audit.conf

Note that if you change the syslog plugin to use one of the local facility names (and not just change the priority as we discussed earlier), then you could have rsyslog filter on that instead of the programname -- benefit being that it will get you closer to only matching on actual audit records.

All that said, if you really want to send audit records to a central host, I hope you've at least considered using auditd's own native functionality.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]