On 10/16/2018 04:07 PM, Lenny Bruzenak wrote: > Situation: > > Have 3 VMs all running RHEL7.6 (3.10.0-933.el7.x86_64) with audit > components 2.8.4, including audisp-plugins. Using the audisp-remote > plugin, > > Machine A -> B > > Machine B -> C > > Problem 1: > > If I enable "distribute_network = yes" on Machine B, audispd (and > children) stops. > > No anom_abend, no message in syslog, no audit event I can identify as > a clue. > > > If I disable the distribute_network, the audispd and audisp-remote > work fine.
Looks like, with preliminary testing, that maybe this problem is restricted to the RAW data format. I noticed that my machines were set to RAW; once changed to ENRICHED it does work. Since I plan on only using enriched, it really doesn't matter too much to me. Raw settings but forwarding events probably doesn't make a lot of sense anyway. Thx, LCB -- Lenny Bruzenak MagitekLTD -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
