Audisp-remote - connection refused.
Rituraj Buddhisagar
rituraj at vayana.com
Tue Oct 3 03:31:15 UTC 2017
P
lease see inline-
regards
On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote:
> > Hi
> >
> > I tried my best to configure the audisp-remote.
> > I am getting below error on the client machine in /var/log/syslog.
> >
> > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7:
> > Connection refused
>
>
> On the server, what do you get for:
>
> ausearch --start recent -m DAEMON_ACCEPT -i
>
> The server side records some information about why it did not allow a
> connection.
>
>
I dont see any info in here.
# ausearch --start recent -m DAEMON_ACCEPT -i
<no matches>
I tried without --start & -i options as well.
But when I do a tcpdump on central server, I do see requests coming in. (I
changed port to 60).
# tcpdump -i eth1 '( port 60 )'
08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076269451,
win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
length 0
08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
4076269452, win 0, length 0
08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076287474,
win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
length 0
08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
18024, win 0, length 0
08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076300652,
win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
length 0
08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
31202, win 0, length 0
08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076306151,
win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
length 0
I think the service is only listening locally and not for remote
connections?
root at logs:/etc/audit# lsof -i :60
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
audisp-re 1713 root 3u IPv4 17433 0t0 TCP 192.168.103.7:60->
192.168.103.7:60 (ESTABLISHED)
How do I see that I am using libwrap? I have enable_krb5=no in the
auditd.conf on the aggregative server.
> > 192.168.103.7 is the IP address of the central log server.
> >
> > Notes: My settings are below:
> >
> > on server as well on client:
> > /etc/audisp/audisp-remote
> >
> > remote_server = 192.168.103.7
> > port = 6999
> > local_port = 6999
> > transport = tcp
> > queue_file = /var/spool/audit/remote.log
> > mode = immediate
> > queue_depth = 2048
> > format = ascii
> > network_retry_time = 100
>
> This is probably not your problem but managed is the normal setting for
> format. And do you have enable_krb5 set to no?
>
> > I have enabled name_format=HOSTNAME only in one place (in
> > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf
> >
> > entries in auditd.conf:
> >
> > rtcp_listen_port = 6999
> > tcp_listen_queue = 5
> > tcp_max_per_addr = 10
> > tcp_client_ports = 0-65535
> > tcp_client_max_idle = 0
>
> What do you have for use_libwrap and enable_krb5?
>
> The ausearcn info from the aggregating server should tell the reason why
> the
> connection is rejected.
>
> -Steve
>
> > I see the server is listening on the port 6999 as below but its not
> > accepting client request.
> > root at logs:/etc# lsof -i :6999
> > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> > audisp-re 9091 root 3u IPv4 33671 0t0 TCP 192.168.103.7:6999
> ->
> > 192.168.103.7:6999 (ESTABLISHED)
> >
> >
> >
> > Best Regards,
> > Rituraj B
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20171003/a03fdb39/attachment.htm>
More information about the Linux-audit
mailing list