NAME¶
audisp-remote - plugin for remote logging
SYNOPSIS¶
audisp-remote
DESCRIPTION¶
audisp-remote is a plugin for the audit event dispatcher daemon, audispd,
that preforms remote logging to an aggregate logging server.
TIPS¶
If you are aggregating multiple machines, you should enable node information in
the audit event stream. You can do this in one of two places. If you want
computer node names written to disk as well as sent in the realtime event
stream, edit the name_format option in /etc/audit/auditd.conf. If you only
want the node names in the realtime event stream, then edit the name_format
option in /etc/audisp/audispd.conf. Do not enable both as it will put 2 node
fields in the event stream.
SIGNALS¶
- SIGUSR1
- Causes the audisp-remote program to write the value of some of its
internal flags to syslog. The suspend flag tells whether or not
logging has been suspended. The transport_ok flag tells whether or
not the connection to the remote server is healthy. The queue_size
tells how many records are enqueued to be sent to the remote server.
- SIGUSR2
- Causes the audisp-remote program to resume logging if it were suspended
due to an error.
FILES¶
/etc/audisp/plugins.d/au-remote.conf, /etc/audit/auditd.conf,
/etc/audisp/audispd.conf, /etc/audisp/audisp-remote.conf
SEE ALSO¶
audispd(8),
auditd.conf(8), audispd.conf(8),
audisp-remote.conf(5).
AUTHOR¶
Steve Grubb