On Tue, 2008-09-09 at 14:36 -0400, DJ Delorie wrote: > > Is there a HOWTO for activating the 1.7.5 aggregating feature? > > Just the man pages. > > > I believe that the collector needs to uncomment the lines > > in /etc/auditd/auditd.conf and the senders/clients need to set > > active=yes, remote=<IP-address> in the audisp-remote.conf file. > > The collector needs the listener configured in /etc/audit/auditd.conf: > > tcp_listen_port = 1237 > > The clients need the audisp-remote module enabled and configured: > > /etc/audisp/plugins.d/au-remote.conf: > active = yes > > /etc/audisp/audisp-remote.conf: > remote_server = 192.16.1.12 (your server's IP, not mine ;) > port = 1237 (or use some other port, up to you) > transport = tcp > > Additional options: > format = managed > network_retry_time = 1 > max_tries_per_record = 10 > max_time_per_record = 7 > > You'll have to enable the connection through tcp_wrappers as well, if > you have that option enabled, as well as whatever firewall rules may > apply. >
Thanks for the above. I am only looking at the server/collector startup right now. > > However, my collector auditd fails on start; > > Messages? Not real helpful so far (/var/log/messages - any other place?): Sep 9 13:41:15 fryspc auditd[3786]: Init complete, auditd 1.7.5 listening for events (startup state enable) Sep 9 13:41:15 fryspc auditd[3786]: Cannot bind tcp listener socket to port 1237 Sep 9 13:41:15 fryspc auditd[3786]: The audit daemon is exiting. Thx! LCB. -- LC (Lenny) Bruzenak [EMAIL PROTECTED] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
