On Wednesday, October 4, 2017 12:02:06 PM EDT Rituraj Buddhisagar wrote:
> HI Steve,
>
> I did the necessary,
> Change in auditd.conf - log_format to ENRICHED.
> write_logs set to "no" on client and "yes" on aggregating server.
> name_format was already set in auditd.conf and not in audispd.conf o
HI Steve,
I did the necessary,
Change in auditd.conf - log_format to ENRICHED.
write_logs set to "no" on client and "yes" on aggregating server.
name_format was already set in auditd.conf and not in audispd.conf on both
the servers.
I still do not see any logs coming in /var/log/audit/audit.log o
On Wednesday, October 4, 2017 10:01:49 AM EDT Rituraj Buddhisagar wrote:
> Hi Steve / List
>
> Now, I have built auditd from source as per the mail thread and then also
> created a startup script.
>
> The auditd is starting successfully.
>
> The client is able to connect to the aggregating serve
Hi Steve / List
Now, I have built auditd from source as per the mail thread and then also
created a startup script.
The auditd is starting successfully.
The client is able to connect to the aggregating server.
*node=guslogs type=DAEMON_ACCEPT msg=audit(1507125123.240:7272):
addr=192.168.103.2
On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote:
> Steve,
>
> Here is the relevant discussion on disabling the tcp listener on Ubuntu.
> https://www.redhat.com/archives/linux-audit/2012-September/msg00027.html
>
> I do not know what exactly caused change - but now I think it
Steve,
Here is the relevant discussion on disabling the tcp listener on Ubuntu.
https://www.redhat.com/archives/linux-audit/2012-September/msg00027.html
I do not know what exactly caused change - but now I think it should be
enabled in distributions.
Please let me know.
Btw, I got auditd runnin
Sorry if this seems like a spamming, but after I sent the earlier mail - I
did install from source successfully with only --prefix=/usr/local
I am now facing issue like the below:
root@guslogs:/etc/init.d# /usr/local/sbin/auditd
/usr/local/sbin/auditd: symbol lookup error: /usr/local/sbin/auditd:
Hi Steve / Audit List ;
I have this issue because Ubuntu has disabled support for listener in their
distribution !!
On a blog I found that Debian has not disabled it but the Ubuntu
distribution has.
I found this when I ran auditd in foreground with -f option.
Listener support is not enabled, ig
On Tuesday, October 3, 2017 8:52:48 AM EDT Rituraj Buddhisagar wrote:
> Hi Steve,
>
> I did check IPtables and I am not having any rules in there. I have allowed
> the connections in /etc/hosts.allow. But then I do not see auditd listening
> on port 60.
> It just shows "ESSTABLISHED" connection on
Hi Steve,
I did check IPtables and I am not having any rules in there. I have allowed
the connections in /etc/hosts.allow. But then I do not see auditd listening
on port 60.
It just shows "ESSTABLISHED" connection on the aggregating server - which
is itself!
root@guslogs:/etc/audit# lsof -i :60
C
On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote:
> P
> lease see inline-
>
> regards
>
>
> On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb wrote:
> > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote:
> > > Hi
> > >
> > > I tried my best to configure the au
Steve, I should have attached my config in previous mail:
Here is the config on the aggregating server. (I see tcp_listen_port in
auditd.conf and then there is mention of local port & port in
audisp-remote.conf as well)
I do not see auditd listening on port 60 as per my previous mail. (netstat
ou
P
lease see inline-
regards
On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb wrote:
> On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote:
> > Hi
> >
> > I tried my best to configure the audisp-remote.
> > I am getting below error on the client machine in /var/log/syslog.
> >
> >
On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote:
> Hi
>
> I tried my best to configure the audisp-remote.
> I am getting below error on the client machine in /var/log/syslog.
>
> Oct 2 14:41:15 xx audisp-remote: Error connecting to 192.168.103.7:
> Connection refused
On
Additional info:
I doubt that the daemon is only listening on localhost and not accepting
remote.
# lsof -i :6999
COMMANDPID USER FD TYPE DEVICE SIZE/OFF NODE NAME
audisp-re 9624 root3u IPv4 37642 0t0 TCP 192.168.103.7:6999->
192.168.103.7:6999 (ESTABLISHED)
Btw, no iptables
Hi
I tried my best to configure the audisp-remote.
I am getting below error on the client machine in /var/log/syslog.
Oct 2 14:41:15 xx audisp-remote: Error connecting to 192.168.103.7:
Connection refused
192.168.103.7 is the IP address of the central log server.
Notes: My settings are be
16 matches
Mail list logo
