Hi, all: I'm interested in sending audit logs to a central logging server. One option is using the builtin syslog plugin for audisp, but I also see audisp-remote that mentions sending logs to a remote server. Unfortunately, I'm having trouble finding more information about that (such as "what kind of a remote server" and "how do you set up a remote server").
Also a suggestion -- the syslog plugin for audisp doesn't specify the facility, so the default facility (LOG_USER) is used. Perhaps this can be made configurable so I could configure syslog to only send audit logs to remote without duplicating them in /var/log/messages (e.g. set facility to local9 and only send it to a remote server, not locally)? Currently that's not possible and I end up wasting space by having audit logs both in /var/log/audit/audit.log and in /var/log/messages. Turning off af_unix is an option, but that has a significant drawback of complicating ausearch/aureport. Regards, -- McGill University IT Security Konstantin "Kay" Ryabitsev Montréal, Québec -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
