audisp-remote

MAUPERTUIS, PHILIPPE Fri, 07 Feb 2020 02:02:48 -0800

Hi,
Apart the man pages, I didn’t find anything useful relating to audisp-remote.
I am searching information on how it scales ? Is there any performance issue ?
How to use it in a large environment ? ….
Most of what I found dated a long time ago and mainly said use rsyslog instead.
It seems that centralizing the messages through rsyslog is far more popular.
Is audisp-remote really used ?
The man page read :
       tcp_max_per_addr
              This  is  a  numeric  value  which  indicates  how many 
concurrent connections from one IP address is allowed.  The
              default is 1 and the maximum is 1024. Setting this too large may 
allow for a Denial of Service attack on  the  log‐
              ging  server.  Also  note  that the kernel has an internal 
maximum that will eventually prevent this even if auditd
              allows it by config. The default should be adequate in most cases 
unless a custom written recovery script  runs  to
              forward unsent events. In this case you would increase the number 
only large enough to let it in too.
Where could I find an example of recovery script ?
Could it be a way to inject the audit message in auditd after having receiving 
them via rsyslog ?
This might be useful just because, by default ausearch in all available logs 
and the -if parameter accepts only one file.



Maybe my lack of knowledge about auditd leads me to write rubbish.
If so, please direct me to where I can find how to manage and use audit logs 
after centralizing them.
Not only keeping them but  acutually using them.

Philippe


equensWorldline is a registered trade mark and trading name owned by the 
Worldline Group through its holding company.
This e-mail and the documents attached are confidential and intended solely for 
the addressee. If you receive this e-mail in error, you are not authorized to 
copy, disclose, use or retain it. Please notify the sender immediately and 
delete this email from your systems. As emails may be intercepted, amended or 
lost, they are not secure. EquensWorldline and the Worldline Group therefore 
can accept no liability for any errors or their content. Although 
equensWorldline and the Worldline Group endeavours to maintain a virus-free 
network, we do not warrant that this transmission is virus-free and can accept 
no liability for any damages resulting from any virus transmitted. The risks 
are deemed to be accepted by everyone who communicates with equensWorldline and 
the Worldline Group by email

--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit

audisp-remote

Reply via email to