NAME¶
audisp-remote.conf - the audisp-remote configuration file
DESCRIPTION¶
audisp-remote.conf is the file that controls the configuration of the
audit remote logging subsystem. The options that are available are as follows:
- remote_server
- This is a one word character string that is the remote
server hostname or address that this daemon will send log information to.
This can be the numeric address or a resolvable hostname.
- port
- This option is an unsigned integer that indicates what port
to connect to on the remote machine.
- local_port
- This option is an unsigned integer that indicates what
local port to connect from on the local machine. If unspecified (the
default) or set to the word any then any available unpriviledged
port is used. This is a security mechanism to prevent untrusted user space
apps from injecting events into the audit daemon. You should set it to an
unused port < 1024 to ensure that only privileged users can bind to
that port. Then also set the tcp_client_ports in the aggregating
auditd.conf file to match the ports that clients are sending from.
- transport
- This parameter tells the remote logging app how to send
events to the remote system. The only valid value right now is tcp.
If set to tcp, the remote logging app will just make a normal clear
text connection to the remote system. This is not used if kerberos is
enabled.
- mode
- This parameter tells the remote logging app what strategy
to use getting records to the remote system. Valid values are
immediate, and forward . If set to immediate, the
remote logging app will attempt to send events immediately after getting
them. forward , which is not implemented yet, means that it will
store the events to disk and then attempt to send the records. If the
connection cannot be made, it will queue records until it can connection
to the remote system. The depth of the queue is controlled by the
queue_depth option.
- queue_depth
- This option is an unsigned integer that determines how many
records can be buffered to disk or in memory before considering it to be a
failure sending. This parameter affects the forward mode of the
mode option and internal queueing for temporary network outtages.
The default depth is 200.
- format
- This parameter tells the remote logging app what data
format will be used for the messages sent over the network. The default is
managed which adds some overhead to ensure each message is properly
handled on the remote end, and to receive status messages from the remote
server. If ascii is given instead, each message is a simple ASCII
text line with no overhead at all.
- network_retry_time
- The time, in seconds, between retries when a network error
is detected. Note that this pause applies starting after the second
attempt, so as to avoid unneeded delays if a reconnect is sufficient to
fix the problem. The default is 1 second.
- max_tries_per_record
- The maximum number of times an attempt is made to deliver
each message. The minimum value is one, as even a completely successful
delivery requires at least one try. If too many attempts are made, the
network_failure_action action is performed. The default is 3.
- max_time_per_record
- The maximum amount of time, in seconds, spent attempting to
deliver each message. Note that both this and max_tries_per_record
should be set, as each try may take a long time to time out. The default
value is 5 seconds. If too much time is used on a message, the
network_failure_action action is performed.
- heartbeat_timeout
- This parameter determines how often in seconds the client
should send a heartbeat event to the remote server. This is used to let
both the client and server know that each end is alive and has not
terminated in a way that it did not shutdown the connection uncleanly.
This value must be coordinated with the server's
tcp_client_max_idle setting. The default value is 0 which disables
sending a heartbeat.
- network_failure_action
- This parameter tells the system what action to take
whenever there is an error detected when sending audit events to the
remote system. Valid values are ignore, syslog, exec,
suspend, single, halt, and stop. If set to
ignore, the audit daemon does nothing. Syslog means that it
will issue a warning to syslog. This is the default. exec
/path-to-script will execute the script. You cannot pass parameters to the
script. Suspend will cause the remote logging app to stop sending
records to the remote system. The logging app will still be alive. The
single option will cause the remote logging app to put the computer
system in single user mode. The stop option will cause the remote
logging app to exit, but leave other plugins running. The halt
option will cause the remote logging app to shutdown the computer
system.
- disk_low_action
- Likewise, this parameter tells the system what action to
take if the remote end signals a disk low error. The default is to ignore
it.
- disk_full_action
- Likewise, this parameter tells the system what action to
take if the remote end signals a disk full error. The default is to ignore
it.
- disk_error_action
- Likewise, this parameter tells the system what action to
take if the remote end signals a disk error. The default is to log it to
syslog.
- remote_ending_action
- Likewise, this parameter tells the system what action to
take if the remote end signals a disk error. This action has one
additional option, reconnect which tells the remote plugin to
attempt to reconnect to the server upon receipt of the next audit record.
If it is unsuccessful, the audit record could be lost. The default is to
suspend logging.
- generic_error_action
- Likewise, this parameter tells the system what action to
take if the remote end signals an error we don't recognize. The default is
to log it to syslog.
- generic_warning_action
- Likewise, this parameter tells the system what action to
take if the remote end signals a warning we don't recognize. The default
is to log it to syslog.
- enable_krb5
- If set to "yes", Kerberos 5 will be used for
authentication and encryption. Default is "no". Note that
encryption can only be used with managed connections, not plain
ASCII.
- krb5_principal
- If specified, This is the expected principal for the
server. The client and server will use the specified principal to
negotiate the encryption. The format for the krb5_principal is like
somename/hostname, see the auditd.conf man page for details. If not
specified, the krb5_client_name and remote_server values are used.
- krb5_client_name
- This specifies the name portion of the client's own
principal. If unspecified, the default is "auditd". The
remainder of the principal will consist of the host's fully qualified
domain name and the default Kerberos realm, like this:
auditd/host14.example.com@EXAMPLE.COM (assuming you gave
"auditd" as the krb_client_name). Note that the client and
server must have the same principal name and realm.
- krb5_key_file
- Location of the key for this client's principal. Note that
the key file must be owned by root and mode 0400. The default is
/etc/audisp/audisp-remote.key
NOTES¶
Specifying a local port may make it difficult to restart the audit subsystem due
to the previous connection being in a TIME_WAIT state, if you're reconnecting
to and from the same hosts and ports as before.
The network failure logic works as follows: The first attempt to deliver
normally "just works". If it doesn't, a second attempt is
immediately made, perhaps after reconnecting to the server. If the second
attempt also fails,
audispd-remote pauses for the configured time and
tries again. It continues to pause and retry until either too many attempts
have been made or the allowed time expires. Note that these times govern the
maximum amount of time the remote server is allowed in order to reboot, if you
want to maintain logging across a reboot.
SEE ALSO¶
audispd(8),
audisp-remote(8), auditd.conf(5).
AUTHOR¶
Steve Grubb