I think Ed is correct. You should have a couple of lines in snare.conf with the following.
file=<path to logfile> network=<remote hostname or ip>:<port> you can comment out either one or leave both. you may even be able to specify more than one of each, but I haven't tried that. kevin On Tue, 2008-04-29 at 11:43 -0700, Greg Herrmann wrote: > Which version of Snare are you running? If it's on an RHEL 5 server, > I would assume version 1.3. If so, shouldn't you be > modifying /etc/snare.conf in order to do this? > > Ed Christiansen <[EMAIL PROTECTED]> wrote: > > Do you REALLY want to do this? your filesystem > will just have more space taken up with duplicate > information. > > Scott Ehrlich wrote: > > Hello to all: > > > > I have Snare Agent and audit 1.5.2 running on a CentOS 5.0 > box and a RHEL > > 5.0 server. I ideally would like audit logs to be sent to > both the > > system's local audit.log file and to a log server. I > reviewed the > > /etc/audit/auditd.conf file and tried to play with things > and move things > > around, but an active watch of my log > server's /var/log/syslog and local > > machine's audit.log does NOT show simultaneous activity, > leading me to > > think it is either one way or the other, and that > simultaneous local and > > remote logging is not possible. > > > > Is there a way to get both? > > > > Thanks. > > > > Scott > > > > -- > > Linux-audit mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/linux-audit > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit > > > > > > ______________________________________________________________________ > Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try > it now. > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
