P lease see inline- regards
On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <[email protected]> wrote: > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote: > > Hi > > > > I tried my best to configure the audisp-remote. > > I am getting below error on the client machine in /var/log/syslog. > > > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7: > > Connection refused > > > On the server, what do you get for: > > ausearch --start recent -m DAEMON_ACCEPT -i > > The server side records some information about why it did not allow a > connection. > > I dont see any info in here. # ausearch --start recent -m DAEMON_ACCEPT -i <no matches> I tried without --start & -i options as well. But when I do a tcpdump on central server, I do see requests coming in. (I changed port to 60). # tcpdump -i eth1 '( port 60 )' 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076269451, win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], length 0 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack 4076269452, win 0, length 0 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076287474, win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], length 0 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack 18024, win 0, length 0 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076300652, win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], length 0 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack 31202, win 0, length 0 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076306151, win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], length 0 I think the service is only listening locally and not for remote connections? root@logs:/etc/audit# lsof -i :60 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME audisp-re 1713 root 3u IPv4 17433 0t0 TCP 192.168.103.7:60-> 192.168.103.7:60 (ESTABLISHED) How do I see that I am using libwrap? I have enable_krb5=no in the auditd.conf on the aggregative server. > > 192.168.103.7 is the IP address of the central log server. > > > > Notes: My settings are below: > > > > on server as well on client: > > /etc/audisp/audisp-remote > > > > remote_server = 192.168.103.7 > > port = 6999 > > local_port = 6999 > > transport = tcp > > queue_file = /var/spool/audit/remote.log > > mode = immediate > > queue_depth = 2048 > > format = ascii > > network_retry_time = 100 > > This is probably not your problem but managed is the normal setting for > format. And do you have enable_krb5 set to no? > > > I have enabled name_format=HOSTNAME only in one place (in > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf > > > > entries in auditd.conf: > > > > rtcp_listen_port = 6999 > > tcp_listen_queue = 5 > > tcp_max_per_addr = 10 > > tcp_client_ports = 0-65535 > > tcp_client_max_idle = 0 > > What do you have for use_libwrap and enable_krb5? > > The ausearcn info from the aggregating server should tell the reason why > the > connection is rejected. > > -Steve > > > I see the server is listening on the port 6999 as below but its not > > accepting client request. > > root@logs:/etc# lsof -i :6999 > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > audisp-re 9091 root 3u IPv4 33671 0t0 TCP 192.168.103.7:6999 > -> > > 192.168.103.7:6999 (ESTABLISHED) > > > > > > > > Best Regards, > > Rituraj B > > >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
