1AUDISP-REMOTE.CONF:(5) System Administration Utilities AUDISP-REMOTE.CONF:(5)
2
3
4
6 audisp-remote.conf - the audisp-remote configuration file
7
9 audisp-remote.conf is the file that controls the configuration of the
10 audit remote logging subsystem. The options that are available are as
11 follows:
12
13
14 remote_server
15 This is a one word character string that is the remote server
16 hostname or address that this plugin will send log information
17 to. This can be the numeric address or a resolvable hostname.
18
19 port This option is an unsigned integer that indicates what port to
20 connect to on the remote machine.
21
22 local_port
23 This option is an unsigned integer that indicates what local
24 port to connect from on the local machine. If unspecified (the
25 default) or set to the word any then any available unpriviledged
26 port is used. This is a security mechanism to prevent untrusted
27 user space apps from injecting events into the audit daemon. You
28 should set it to an unused port < 1024 to ensure that only priv‐
29 ileged users can bind to that port. Then also set the
30 tcp_client_ports in the aggregating auditd.conf file to match
31 the ports that clients are sending from.
32
33 transport
34 This parameter tells the remote logging app how to send events
35 to the remote system. The only valid value right now is tcp. If
36 set to tcp, the remote logging app will just make a normal clear
37 text connection to the remote system. This is not used if ker‐
38 beros is enabled.
39
40 mode This parameter tells the remote logging app what strategy to use
41 getting records to the remote system. Valid values are immedi‐
42 ate, and forward . If set to immediate, the remote logging app
43 will attempt to send events immediately after getting them.
44 forward means that it will store the events to disk and then
45 attempt to send the records. If the connection cannot be made,
46 it will queue records until it can connect to the remote system.
47 The depth of the queue is controlled by the queue_depth option.
48
49 queue_file
50 Path of a file used for the event queue if mode is set to for‐
51 ward. The default is /var/spool/audit/remote.log.
52
53 queue_depth
54 This option is an unsigned integer that determines how many
55 records can be buffered to disk or in memory before considering
56 it to be a failure sending. This parameter affects the forward
57 mode of the mode option and internal queueing for temporary net‐
58 work outtages. The default depth is 2048.
59
60 format This parameter tells the remote logging app what data format
61 will be used for the messages sent over the network. The
62 default is managed which adds some overhead to ensure each mes‐
63 sage is properly handled on the remote end, and to receive sta‐
64 tus messages from the remote server. If ascii is given instead,
65 each message is a simple ASCII text line with no overhead at
66 all. If mode is set to forward, format must be managed.
67
68 network_retry_time
69 The time, in seconds, between retries when a network error is
70 detected. Note that this pause applies starting after the sec‐
71 ond attempt, so as to avoid unneeded delays if a reconnect is
72 sufficient to fix the problem. The default is 1 second.
73
74 max_tries_per_record
75 The maximum number of times an attempt is made to deliver each
76 message. The minimum value is one, as even a completely suc‐
77 cessful delivery requires at least one try. If too many
78 attempts are made, the network_failure_action action is per‐
79 formed. The default is 3.
80
81 max_time_per_record
82 The maximum amount of time, in seconds, spent attempting to
83 deliver each message. Note that both this and
84 max_tries_per_record should be set, as each try may take a long
85 time to time out. The default value is 5 seconds. If too much
86 time is used on a message, the network_failure_action action is
87 performed.
88
89 heartbeat_timeout
90 This parameter determines how often in seconds the client should
91 send a heartbeat event to the remote server. This is used to let
92 both the client and server know that each end is alive and has
93 not terminated in a way that it did not shutdown the connection
94 uncleanly. This value must be coordinated with the server's
95 tcp_client_max_idle setting. The default value is 0 which dis‐
96 ables sending a heartbeat.
97
98 network_failure_action
99 This parameter tells the system what action to take whenever
100 there is an error detected when sending audit events to the
101 remote system. Valid values are ignore, syslog, exec, warn_once,
102 suspend, single, halt, and stop. If set to ignore, the remote
103 logging app does nothing. If an event was sent, its dequeued.
104 Syslog means that it will issue a warning to syslog. If an event
105 was sent, its dequeued. This is the default. exec /path-to-
106 script will execute the script. You cannot pass parameters to
107 the script. If an event was sent, its dequeued. warn_once_con‐
108 tinue is like syslog execept that only one message is put in
109 syslog until an event is successfully transferred. warn_once is
110 like warn_once_continue execept that the event is not dequeued.
111 Suspend will cause the remote logging app to stop sending
112 records to the remote system. The logging app will still be
113 alive. If an event was sent, it is not dequeued. The single
114 option will cause the remote logging app to put the computer
115 system in single user mode. If an event was sent, it is not
116 dequeued. The stop option will cause the remote logging app to
117 exit, but leave other plugins running. If an event was sent, it
118 is not dequeued. The halt option will cause the remote logging
119 app to shutdown the computer system. If an event was sent, it is
120 not dequeued. The default is to stop.
121
122 disk_low_action
123 Likewise, this parameter tells the system what action to take if
124 the remote end signals a disk low error. The default is ignore.
125
126 disk_full_action
127 Likewise, this parameter tells the system what action to take if
128 the remote end signals a disk full error. The default is
129 warn_once.
130
131 disk_error_action
132 Likewise, this parameter tells the system what action to take if
133 the remote end signals a disk error. The default is warn_once.
134
135 remote_ending_action
136 Likewise, this parameter tells the system what action to take if
137 the remote end signals a disk error. This action has one addi‐
138 tional option, reconnect which tells the remote plugin to
139 attempt to reconnect to the server upon receipt of the next
140 audit record. If an event was being sent when something trig‐
141 gered this action, it is not dequeued. If it is unsuccessful in
142 reconnecting, the audit record could be lost. The default is to
143 reconnect.
144
145 generic_error_action
146 Likewise, this parameter tells the system what action to take if
147 the remote end signals an error we don't recognize. The default
148 is to log it to syslog.
149
150 generic_warning_action
151 Likewise, this parameter tells the system what action to take if
152 the remote end signals a warning we don't recognize. The
153 default is to log it to syslog.
154
155 queue_error_action
156 Likewise, this parameter tells the system what action to take if
157 there is a problem working with a local record queue. The
158 default is stop.
159
160 overflow_action
161 This parameter tells the system what action to take if the
162 internal event queue overflows. Valid values are ignore, syslog,
163 suspend, single, and halt . If set to ignore, the remote log‐
164 ging app does nothing. Syslog means that it will issue a warn‐
165 ing to syslog. This is the default. Suspend will cause the
166 remote logging app to stop sending records to the remote system.
167 The logging app will still be alive. The single option will
168 cause the remote logging app to put the computer system in sin‐
169 gle user mode. The halt option will cause the remote logging app
170 to shutdown the computer system.
171
172 enable_krb5
173 If set to "yes", Kerberos 5 will be used for authentication and
174 encryption. Default is "no". Note that encryption can only be
175 used with managed connections, not plain ASCII.
176
177 krb5_principal
178 If specified, This is the expected principal for the server.
179 The client and server will use the specified principal to nego‐
180 tiate the encryption. The format for the krb5_principal is like
181 somename/hostname, see the auditd.conf man page for details. If
182 not specified, the krb5_client_name and remote_server values are
183 used.
184
185 krb5_client_name
186 This specifies the name portion of the client's own principal.
187 If unspecified, the default is "auditd". The remainder of the
188 principal will consist of the host's fully qualified domain name
189 and the default Kerberos realm, like this: auditd/host14.exam‐
190 ple.com@EXAMPLE.COM (assuming you gave "auditd" as the
191 krb_client_name). Note that the client and server must have the
192 same principal name and realm.
193
194 krb5_key_file
195 Location of the key for this client's principal. Note that the
196 key file must be owned by root and mode 0400. The default is
197 /etc/audisp/audisp-remote.key
198
199
200
202 Specifying a local port may make it difficult to restart the audit sub‐
203 system due to the previous connection being in a TIME_WAIT state, if
204 you're reconnecting to and from the same hosts and ports as before.
205
206 The network failure logic works as follows: The first attempt to
207 deliver normally "just works". If it doesn't, a second attempt is
208 immediately made, perhaps after reconnecting to the server. If the
209 second attempt also fails, audispd-remote pauses for the configured
210 time and tries again. It continues to pause and retry until either too
211 many attempts have been made or the allowed time expires. Note that
212 these times govern the maximum amount of time the remote server is
213 allowed in order to reboot, if you want to maintain logging across a
214 reboot.
215
216
218 audispd(8), audisp-remote(8), auditd.conf(5).
219
221 Steve Grubb
222
223
224
225
226Red Hat June 2016 AUDISP-REMOTE.CONF:(5)