Additional info: I doubt that the daemon is only listening on localhost and not accepting remote.
# lsof -i :6999 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME audisp-re 9624 root 3u IPv4 37642 0t0 TCP 192.168.103.7:6999-> 192.168.103.7:6999 (ESTABLISHED) Btw, no iptables is running on the host. Also no tcpwrappers. Regards Best Regards, Rituraj B On Tue, Oct 3, 2017 at 12:25 AM, Rituraj Buddhisagar <[email protected]> wrote: > Hi > > I tried my best to configure the audisp-remote. > I am getting below error on the client machine in /var/log/syslog. > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7: > Connection refused > > > 192.168.103.7 is the IP address of the central log server. > > Notes: My settings are below: > > on server as well on client: > /etc/audisp/audisp-remote > > remote_server = 192.168.103.7 > port = 6999 > local_port = 6999 > transport = tcp > queue_file = /var/spool/audit/remote.log > mode = immediate > queue_depth = 2048 > format = ascii > network_retry_time = 100 > > > I have enabled name_format=HOSTNAME only in one place (in > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf > > entries in auditd.conf: > > rtcp_listen_port = 6999 > tcp_listen_queue = 5 > tcp_max_per_addr = 10 > tcp_client_ports = 0-65535 > tcp_client_max_idle = 0 > > > I see the server is listening on the port 6999 as below but its not > accepting client request. > root@logs:/etc# lsof -i :6999 > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > audisp-re 9091 root 3u IPv4 33671 0t0 TCP 192.168.103.7:6999-> > 192.168.103.7:6999 (ESTABLISHED) > > > > Best Regards, > Rituraj B > >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
