On Tue, May 18, 2010 at 10:43 AM, Steve Grubb <[email protected]> wrote: > On Tuesday 18 May 2010 10:27:32 am Konstantin Ryabitsev wrote: >> I'm interested in sending audit logs to a central logging server. One >> option is using the builtin syslog plugin for audisp, but I also see >> audisp-remote that mentions sending logs to a remote server. >> Unfortunately, I'm having trouble finding more information about that >> (such as "what kind of a remote server" and "how do you set up a >> remote server"). > > auditd is the remote server. Look at the auditd.conf man page starting at the > tcp_listen_port entry to see what options you have available. One thing to > note, I do not enable the kerberos support right now on any Red Hat or Fedora > release.
Ah, okay -- I suspected as such but wanted to make sure. Is there a way to send audit data encrypted if kerberos is not enabled? >> Also a suggestion -- the syslog plugin for audisp doesn't specify the >> facility, so the default facility (LOG_USER) is used. Perhaps this can >> be made configurable so I could configure syslog to only send audit >> logs to remote without duplicating them in /var/log/messages (e.g. set >> facility to local9 and only send it to a remote server, not locally)? > > Sure. If you want to file a RFE bugzilla, please do. Created as https://bugzilla.redhat.com/show_bug.cgi?id=593340 Thanks! -- McGill University IT Security Konstantin "Kay" Ryabitsev Montréal, Québec -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
