audisp-remote - plugin for remote logging
audisp-remote
audisp-remote is a plugin for the audit event dispatcher that preforms
remote logging to an aggregate logging server.
If you are aggregating multiple machines, you should edit auditd.conf to set the
name_format to something meaningful and the log_format to enriched. This way
you can tell where the event came from and have the user name and groups
resolved locally before it is sent off of the machine.
- SIGUSR1
- Causes the audisp-remote program to write the value of some
of its internal flags to syslog. The suspend flag tells whether or
not logging has been suspended. The remote_ended flag tells if the
connection was broken by the server saying it can't log events. The
transport_ok flag tells whether or not the connection to the remote
server is healthy. The queue_size tells how many records are
enqueued to be sent to the remote server.
- SIGUSR2
- Causes the audisp-remote program to resume logging if it
were suspended due to an error.
/etc/audit/audisp-remote.conf /etc/audit/plugins.d/au-remote.conf
/etc/audit/auditd.conf
auditd.conf(8),
auditd-plugins(5),
audisp-remote.conf(5).
Steve Grubb