On Tue, 2009-09-29 at 14:51 -0400, Norman Mark St. Laurent wrote: > Hi LCB, > > I hope I answer u correctly... > > I would look in your /etc/audisp/audisp-remote.conf file and note the > port you communicate on, as an alternate you can grab the port with > "lsof -i -nP" or "netstat -taupe". Then you can use tcpdump to watch > the connections. > > #tcpdump -i eth0 port 1001 --> or what ever port you have setup to > the remote data on and the correct nic. > > Sounds like this could help u out. > > Norman Mark St. Laurent > Conceras | Chief Technology Officer and ISSE > Phone: 703-965-4892 > Email: [email protected] > Web: http://www.conceras.com > > Connect. Collaborate. Conceras. > > > > LC Bruzenak wrote: > > On Thu, 2008-08-14 at 19:31 -0500, LC Bruzenak wrote: > > > >> On Thu, 2008-08-14 at 20:27 -0400, Steve Grubb wrote: > >> > >>> On Thursday 14 August 2008 20:22:24 LC Bruzenak wrote: > >>> > >>>> I think you have a good point - this is the first cut and maybe > >>>> > >> later on > >> > >>>> institute a "replay daemon" or something which can send events on > >>>> reconnect. > >>>> > >>> Note that all audispd plugins take their input from stdin. At the > >>> > >> worst, if > >> > >>> you had the time hacks, you could > >>> > >>> ausearch --start <time> --end <time> --raw | /sbin.audisp-remote > >>> > >>> -Steve > >>> > > > > Steve, > > > > I have been doing this but I really cannot tell if the audisp-remote > > connection succeeds; it returns "0" either way. > > Would there be an easy way to return a non-zero failure indicator? > > > > Thx, > > LCB. > >
Norman, Thank for the reply but I wasn't quite clear enough. The context of this is within a recovery script, so I'm concerned that I can get the return value of the audisp-remote within the script to decide if the recovery was successful or if it failed. I don't think that was clear above; my apologies since the conversation I referenced was > 1 year old. LCB. -- LC (Lenny) Bruzenak [email protected] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
