Hi Steve / List Now, I have built auditd from source as per the mail thread and then also created a startup script.
The auditd is starting successfully. The client is able to connect to the aggregating server. *node=guslogs type=DAEMON_ACCEPT msg=audit(1507125123.240:7272): addr=192.168.103.2 port=60 res=success* I have made the necessary change in the server in /etc/audit/auditd.conf *log_format = NOLOG* I do not see any logs being populated - I checked log file on client, the server - also the /var/spool/audit/remote.log on the client. On the server side /var/spool/audit/remote.log is empty (I am not sure if this is something I should be checking at all) I am clueless as to what is happening. Is there some way to debug this? Where are these logs getting lost? When change the log_format back to RAW I do see the logs getting created on the client. I did my best reading on net and debugging this - but no success. Please help. On Wed, Oct 4, 2017 at 1:52 AM, Steve Grubb <[email protected]> wrote: > On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote: > > Steve, > > > > Here is the relevant discussion on disabling the tcp listener on Ubuntu. > > https://www.redhat.com/archives/linux-audit/2012-September/msg00027.html > > > > I do not know what exactly caused change - but now I think it should be > > enabled in distributions. > > > > Please let me know. > > > > Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from > source > > now. Still audispd is not started now - what is the way / sequence to > start > > auditd and audispd - if you can point me to some reference or a startup > > script will help. > > Since you installed in a non-standard location, you probably need to adjust > paths in the config files. > > What I would recommend is not to build and install by hand, but to use > their > package manager to build a new package with listening enabled. The > ./configure > script takes a --disable-listener parameter. So, its probably as simple as > deleting that in the source package and rebuilding. > > That said, I have no idea how to build a package on Debian or Ubuntu. > > -Steve >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
