On Wednesday, October 4, 2017 12:02:06 PM EDT Rituraj Buddhisagar wrote: > HI Steve, > > I did the necessary, > Change in auditd.conf - log_format to ENRICHED. > write_logs set to "no" on client and "yes" on aggregating server. > name_format was already set in auditd.conf and not in audispd.conf on both > the servers. > > I still do not see any logs coming in /var/log/audit/audit.log on > aggregating server.
You can run auditd -f on both systems to see on screen what is happening. Then on the remote, auditctl -m test. You should see it on the remote screen followed by the server screen. If you do, then something is wrong with your config file paths. If you don't see events, I think you have some troubleshooting of your own to do. I can't see your system so you'll have to figure it out. I also updated the INSTALL file in github to better reflect how to build and install it from scratch. > Any debugging tools to see the queue of audisp-remote? The spool file > /var/spool/audit/remote.log is not having entries populated (btw I had to > create it manually). It only uses a spool file if the mode is forward. Immediate mode does not use it. > On Wed, Oct 4, 2017 at 8:49 PM, Steve Grubb <[email protected]> wrote: > > On Wednesday, October 4, 2017 10:01:49 AM EDT Rituraj Buddhisagar wrote: > > > Hi Steve / List > > > > > > Now, I have built auditd from source as per the mail thread and then > > > also > > > created a startup script. > > > > > > The auditd is starting successfully. > > > > > > The client is able to connect to the aggregating server. > > > > > > > > > *node=guslogs type=DAEMON_ACCEPT msg=audit(1507125123.240:7272): > > > addr=192.168.103.2 port=60 res=success* > > > > > > > > > I have made the necessary change in the server in /etc/audit/auditd.conf > > > > > > *log_format = NOLOG* > > > > This is a deprecated option tells it to not write anything to disk. > > > > > I do not see any logs being populated - I checked log file on client, > > > the > > > server - also the /var/spool/audit/remote.log on the client. > > > On the server side /var/spool/audit/remote.log is empty (I am not sure > > > if > > > this is something I should be checking at all) > > > > > > I am clueless as to what is happening. Is there some way to debug this? > > > > Did you modify auditd.conf to have the format be nolog? If so, its an > > explained condition. Nolog means no logging to disk. > > > > > Where are these logs getting lost? > > > When change the log_format back to RAW I do see the logs getting created > > > > on > > > > > the client. > > > > For remote logging, you should set the format to enriched. This resolves > > things locally so that the aggregating server can make sense of it later. > > If > > you do not want events written to disk on the remote system, set > > write_logs = > > no. You should also set name_format = hostname (or something else) in > > auditd.conf of the remote systems. This is so you can tell who is creating > > the > > events in the aggregating server. > > > > On the aggregating server, also set the format to enriched. But there you > > have > > to have write_logs = yes. Also set name_format = hostname in auditd.conf > > of > > the server. > > > > I would not recommend setting the name in audispd.conf for any system. > > > > -Steve > > > > > I did my best reading on net and debugging this - but no success. Please > > > help. > > > > > > On Wed, Oct 4, 2017 at 1:52 AM, Steve Grubb <[email protected]> wrote: > > > > On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote: > > > > > Steve, > > > > > > > > > > Here is the relevant discussion on disabling the tcp listener on > > > > Ubuntu. > > > > > > > https://www.redhat.com/archives/linux-audit/2012-> > > > September/msg00027.html > > > > > > > I do not know what exactly caused change - but now I think it should > > > > be > > > > > > > enabled in distributions. > > > > > > > > > > Please let me know. > > > > > > > > > > Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from > > > > > > > > source > > > > > > > > > now. Still audispd is not started now - what is the way / sequence > > > > > to > > > > > > > > start > > > > > > > > > auditd and audispd - if you can point me to some reference or a > > > > startup > > > > > > > script will help. > > > > > > > > Since you installed in a non-standard location, you probably need to > > > > adjust > > > > paths in the config files. > > > > > > > > What I would recommend is not to build and install by hand, but to use > > > > their > > > > package manager to build a new package with listening enabled. The > > > > ./configure > > > > script takes a --disable-listener parameter. So, its probably as > > > > simple as > > > > > > deleting that in the source package and rebuilding. > > > > > > > > That said, I have no idea how to build a package on Debian or Ubuntu. > > > > > > > > -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
