audisp-remote(8)

1AUDISP-REMOTE:(8)       System Administration Utilities      AUDISP-REMOTE:(8)
2
3
4

NAME

6       audisp-remote - plugin for remote logging
7

SYNOPSIS

9       audisp-remote
10

DESCRIPTION

12       audisp-remote  is  a plugin for the audit event dispatcher daemon, aud‐
13       ispd, that preforms remote logging to an aggregate logging server.
14
15

TIPS

17       If you are aggregating multiple machines, you should enable node infor‐
18       mation  and  enriched events in the audit event stream. You can do this
19       in one of two places. If you want computer node names written  to  disk
20       as  well  as  sent  in  the realtime event stream, edit the name_format
21       option in /etc/audit/auditd.conf. This is the best option for  enriched
22       events.  If  you only want the node names in the realtime event stream,
23       then edit the name_format option in  /etc/audisp/audispd.conf.  Do  not
24       enable both as it will put 2 node fields in the event stream.
25
26

SIGNALS

28       SIGUSR1
29              Causes  the  audisp-remote program to write the value of some of
30              its internal flags to syslog. The suspend flag tells whether  or
31              not  logging has been suspended. The remote_ended flage tells if
32              the connection was broken by the  server  saying  it  can't  log
33              events.  The  transport_ok flag tells whether or not the connec‐
34              tion to the remote server is healthy. The queue_size  tells  how
35              many records are enqueued to be sent to the remote server.
36
37       SIGUSR2
38              Causes  the  audisp-remote  program to resume logging if it were
39              suspended due to an error.
40
41

FILES

43       /etc/audisp/plugins.d/au-remote.conf, /etc/audit/auditd.conf, /etc/aud‐
44       isp/audispd.conf, /etc/audisp/audisp-remote.conf
45

AUTHOR

50       Steve Grubb
51
52
53
54Red Hat                            July 2016                 AUDISP-REMOTE:(8)