1AUDISP-REMOTE.CONF:(5)  System Administration Utilities AUDISP-REMOTE.CONF:(5)
2
3
4

NAME

6       audisp-remote.conf - the audisp-remote configuration file
7

DESCRIPTION

9       audisp-remote.conf  is  the file that controls the configuration of the
10       audit remote logging subsystem. The options that are available  are  as
11       follows:
12
13
14       remote_server
15              This  is  a  one word character string that is the remote server
16              hostname or address that this plugin will send  log  information
17              to. This can be the numeric address or a resolvable hostname.
18
19       port   This  option  is an unsigned integer that indicates what port to
20              connect to on the remote machine.
21
22       local_port
23              This option is an unsigned integer  that  indicates  what  local
24              port  to connect from on the local machine.  If unspecified (the
25              default) or set to the word any then any available unpriviledged
26              port  is used. This is a security mechanism to prevent untrusted
27              user space apps from injecting events into the audit daemon. You
28              should set it to an unused port < 1024 to ensure that only priv‐
29              ileged  users  can  bind  to  that  port.  Then  also  set   the
30              tcp_client_ports  in  the  aggregating auditd.conf file to match
31              the ports that clients are sending from.
32
33       transport
34              This parameter tells the remote logging app how to  send  events
35              to  the  remote system. The valid options are TCP, and KRB5.  If
36              set to TCP, the remote logging app will just make a normal clear
37              text  connection  to the remote system. If its set to KRB5, then
38              Kerberos 5 will be used for authentication and  encryption.  The
39              default value is TCP.
40
41       mode   This parameter tells the remote logging app what strategy to use
42              getting records to the remote system. Valid values  are  immedi‐
43              ate,  and forward .  If set to immediate, the remote logging app
44              will attempt to send  events  immediately  after  getting  them.
45              forward  means  that  it  will store the events to disk and then
46              attempt to send the records. If the connection cannot  be  made,
47              it will queue records until it can connect to the remote system.
48              The depth of the queue is controlled by the queue_depth option.
49
50       queue_file
51              Path of a file used for the event queue if mode is set  to  for‐
52              ward.  The default is /var/spool/audit/remote.log.
53
54       queue_depth
55              This  option  is  an  unsigned  integer that determines how many
56              records can be buffered to disk or in memory before  considering
57              it  to  be a failure sending. This parameter affects the forward
58              mode of the mode option and internal queueing for temporary net‐
59              work outtages. The default depth is 2048.
60
61       format This  parameter  tells  the  remote logging app what data format
62              will be used for  the  messages  sent  over  the  network.   The
63              default  is managed which adds some overhead to ensure each mes‐
64              sage is properly handled on the remote end, and to receive  sta‐
65              tus messages from the remote server.  If ascii is given instead,
66              each message is a simple ASCII text line  with  no  overhead  at
67              all.  If mode is set to forward, format must be managed.
68
69       network_retry_time
70              The  time,  in  seconds, between retries when a network error is
71              detected.  Note that this pause applies starting after the  sec‐
72              ond  attempt,  so  as to avoid unneeded delays if a reconnect is
73              sufficient to fix the problem.  The default is 1 second.
74
75       max_tries_per_record
76              The maximum number of times an attempt is made to  deliver  each
77              message.   The  minimum  value is one, as even a completely suc‐
78              cessful delivery  requires  at  least  one  try.   If  too  many
79              attempts  are  made,  the  network_failure_action action is per‐
80              formed.  The default is 3.
81
82       max_time_per_record
83              The maximum amount of time,  in  seconds,  spent  attempting  to
84              deliver    each    message.     Note    that   both   this   and
85              max_tries_per_record should be set, as each try may take a  long
86              time  to time out.  The default value is 5 seconds.  If too much
87              time is used on a message, the network_failure_action action  is
88              performed.
89
90       heartbeat_timeout
91              This parameter determines how often in seconds the client should
92              send a heartbeat event to the remote server. This is used to let
93              both  the  client and server know that each end is alive and has
94              not terminated in a way that it did not shutdown the  connection
95              uncleanly.  This  value  must  be  coordinated with the server's
96              tcp_client_max_idle setting. The default value is 0  which  dis‐
97              ables sending a heartbeat.
98
99       network_failure_action
100              This  parameter  tells  the  system what action to take whenever
101              there is an error detected when  sending  audit  events  to  the
102              remote system. Valid values are ignore, syslog, exec, warn_once,
103              suspend, single, halt, and stop.  If set to ignore,  the  remote
104              logging  app  does  nothing. If an event was sent, its dequeued.
105              Syslog means that it will issue a warning to syslog. If an event
106              was  sent,  its  dequeued.  This is the default.  exec /path-to-
107              script will execute the script. You cannot  pass  parameters  to
108              the  script. If an event was sent, its dequeued.  warn_once_con‐
109              tinue is like syslog execept that only one  message  is  put  in
110              syslog until an event is successfully transferred.  warn_once is
111              like warn_once_continue execept that the event is not  dequeued.
112              Suspend  will  cause  the  remote  logging  app  to stop sending
113              records to the remote system. The  logging  app  will  still  be
114              alive.  If  an  event  was  sent, it is not dequeued. The single
115              option will cause the remote logging app  to  put  the  computer
116              system  in  single  user  mode.  If an event was sent, it is not
117              dequeued. The stop option will cause the remote logging  app  to
118              exit,  but leave other plugins running. If an event was sent, it
119              is not dequeued. The halt option will cause the  remote  logging
120              app to shutdown the computer system. If an event was sent, it is
121              not dequeued. The default is to stop.
122
123       disk_low_action
124              Likewise, this parameter tells the system what action to take if
125              the remote end signals a disk low error.  The default is ignore.
126
127       disk_full_action
128              Likewise, this parameter tells the system what action to take if
129              the remote end signals  a  disk  full  error.   The  default  is
130              warn_once.
131
132       disk_error_action
133              Likewise, this parameter tells the system what action to take if
134              the remote end signals a disk error.  The default is warn_once.
135
136       remote_ending_action
137              Likewise, this parameter tells the system what action to take if
138              the  network  connection is lost. This action has one additional
139              option, reconnect which tells the remote plugin  to  attempt  to
140              reconnect  to  the server upon receipt of the next audit record.
141              If an event was being sent when something triggered this action,
142              it  is  not dequeued. If it is unsuccessful in reconnecting, the
143              audit record could be lost. The default is to reconnect.
144
145       generic_error_action
146              Likewise, this parameter tells the system what action to take if
147              the remote end signals an error we don't recognize.  The default
148              is to log it to syslog.
149
150       generic_warning_action
151              Likewise, this parameter tells the system what action to take if
152              the  remote  end  signals  a  warning  we  don't recognize.  The
153              default is to log it to syslog.
154
155       queue_error_action
156              Likewise, this parameter tells the system what action to take if
157              there  is  a  problem  working  with  a local record queue.  The
158              default is stop.
159
160       overflow_action
161              This parameter tells the system  what  action  to  take  if  the
162              internal event queue overflows. Valid values are ignore, syslog,
163              suspend, single, and halt .  If set to ignore, the  remote  log‐
164              ging  app does nothing.  Syslog means that it will issue a warn‐
165              ing to syslog.  This is the default.   Suspend  will  cause  the
166              remote logging app to stop sending records to the remote system.
167              The logging app will still be  alive.  The  single  option  will
168              cause  the remote logging app to put the computer system in sin‐
169              gle user mode. The halt option will cause the remote logging app
170              to shutdown the computer system.
171
172       enable_krb5
173              This  option  is  deprecated. Use the transport option to enable
174              Kerberos support. If this option follows the transport  configu‐
175              ration  option,  it  will  override  the transport setting. This
176              would be the normal expected behavior for backwards  compatibil‐
177              ity.  If  set to yes, Kerberos 5 will be used for authentication
178              and encryption.  Default is no.  Note that encryption  can  only
179              be used with managed connections, not plain ASCII.
180
181       krb5_principal
182              If  specified,  This  is  the expected principal for the server.
183              The client and server will use the specified principal to  nego‐
184              tiate the encryption.  The format for the krb5_principal is like
185              somename/hostname, see the auditd.conf man page for details.  If
186              not specified, the krb5_client_name and remote_server values are
187              used.
188
189       krb5_client_name
190              This specifies the name portion of the client's  own  principal.
191              If  unspecified,  the default is "auditd".  The remainder of the
192              principal will consist of the host's fully qualified domain name
193              and  the  default Kerberos realm, like this: auditd/host14.exam‐
194              ple.com@EXAMPLE.COM  (assuming  you   gave   "auditd"   as   the
195              krb_client_name).  Note that the client and server must have the
196              same principal name and realm.
197
198       krb5_key_file
199              Location of the key for this client's principal.  Note that  the
200              key  file  must  be owned by root and mode 0400.  The default is
201              /etc/audisp/audisp-remote.key
202
203
204

NOTES

206       Specifying a local port may make it difficult to restart the audit sub‐
207       system  due  to  the previous connection being in a TIME_WAIT state, if
208       you're reconnecting to and from the same hosts and ports as before.
209
210       The network failure logic  works  as  follows:  The  first  attempt  to
211       deliver  normally  "just  works".   If  it doesn't, a second attempt is
212       immediately made, perhaps after reconnecting to  the  server.   If  the
213       second  attempt  also  fails,  audispd-remote pauses for the configured
214       time and tries again.  It continues to pause and retry until either too
215       many  attempts  have  been made or the allowed time expires.  Note that
216       these times govern the maximum amount of  time  the  remote  server  is
217       allowed  in  order  to reboot, if you want to maintain logging across a
218       reboot.
219
220

SEE ALSO

222       audispd(8), audisp-remote(8), auditd.conf(5).
223

AUTHOR

225       Steve Grubb
226
227
228
229
230Red Hat                            Aug 2018             AUDISP-REMOTE.CONF:(5)
Impressum