audisp-remote - Man Page

plugin for remote logging

Synopsis

audisp-remote

Description

audisp-remote is a plugin for the audit event dispatcher that performs remote logging to an aggregate logging server. When the plugin is sent SIGUSR1, it writes a state report to remote.state.

Tips

If you are aggregating multiple machines, you should edit auditd.conf to set the name_format to something meaningful and the log_format to enriched. This way you can tell where the event came from and have the user name and groups resolved locally before it is sent off of the machine.

Signals

SIGUSR1

Causes the audisp-remote program to write a state report to remote.state in /run/audit. The suspend flag tells whether or not logging has been suspended. The remote_ended flag tells if the connection was broken by the server saying it can't log events. The transport_ok flag tells whether or not the connection to the remote server is healthy. The queue_length tells how many records are enqueued to be sent to the remote server. The max_queued_length shows the peak queue length since startup. The report also records glibc memory consumption when available.

SIGUSR2

Causes the audisp-remote program to resume logging if it were suspended due to an error.

Files

/etc/audit/audisp-remote.conf /etc/audit/plugins.d/au-remote.conf /etc/audit/auditd.conf /run/audit/remote.state

See Also

auditd.conf(8), auditd-plugins(5), audisp-remote.conf(5).

Author

Steve Grubb

Referenced By

audisp-remote.conf(5).

May 2024 Red Hat System Administration Utilities