Hi I tried my best to configure the audisp-remote. I am getting below error on the client machine in /var/log/syslog.
Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7: Connection refused 192.168.103.7 is the IP address of the central log server. Notes: My settings are below: on server as well on client: /etc/audisp/audisp-remote remote_server = 192.168.103.7 port = 6999 local_port = 6999 transport = tcp queue_file = /var/spool/audit/remote.log mode = immediate queue_depth = 2048 format = ascii network_retry_time = 100 I have enabled name_format=HOSTNAME only in one place (in /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf entries in auditd.conf: rtcp_listen_port = 6999 tcp_listen_queue = 5 tcp_max_per_addr = 10 tcp_client_ports = 0-65535 tcp_client_max_idle = 0 I see the server is listening on the port 6999 as below but its not accepting client request. root@logs:/etc# lsof -i :6999 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME audisp-re 9091 root 3u IPv4 33671 0t0 TCP 192.168.103.7:6999-> 192.168.103.7:6999 (ESTABLISHED) Best Regards, Rituraj B
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
