1AUDISP-REMOTE.CONF:(5) System Administration Utilities AUDISP-REMOTE.CONF:(5)
2
6 audisp-remote.conf - the audisp-remote configuration file
7
9 audisp-remote.conf is the file that controls the configuration of the
10 audit remote logging subsystem. The options that are available are as
11 follows:
12 remote_server
15 This is a one word character string that is the remote server
16 hostname or address that this plugin will send log information
17 to. This can be the numeric address or a resolvable hostname.
18 port This option is an unsigned integer that indicates what port to
20 connect to on the remote machine.
21 local_port
23 This option is an unsigned integer that indicates what local
24 port to connect from on the local machine. If unspecified (the
25 default) or set to the word any then any available unpriviledged
26 port is used. This is a security mechanism to prevent untrusted
27 user space apps from injecting events into the audit daemon. You
28 should set it to an unused port < 1024 to ensure that only priv‐
29 ileged users can bind to that port. Then also set the
30 tcp_client_ports in the aggregating auditd.conf file to match
31 the ports that clients are sending from.
32 transport
34 This parameter tells the remote logging app how to send events
35 to the remote system. The valid options are TCP, and KRB5. If
36 set to TCP, the remote logging app will just make a normal clear
37 text connection to the remote system. If its set to KRB5, then
38 Kerberos 5 will be used for authentication and encryption. The
39 default value is TCP.
40 mode This parameter tells the remote logging app what strategy to use
42 getting records to the remote system. Valid values are immedi‐
43 ate, and forward . If set to immediate, the remote logging app
44 will attempt to send events immediately after getting them.
45 forward means that it will store the events to disk and then
46 attempt to send the records. If the connection cannot be made,
47 it will queue records until it can connect to the remote system.
48 The depth of the queue is controlled by the queue_depth option.
49 queue_file
51 Path of a file used for the event queue if mode is set to for‐
52 ward. The default is /var/spool/audit/remote.log.
53 queue_depth
55 This option is an unsigned integer that determines how many
56 records can be buffered to disk or in memory before considering
57 it to be a failure sending. This parameter affects the forward
58 mode of the mode option and internal queueing for temporary net‐
59 work outtages. The default depth is 2048.
60 format This parameter tells the remote logging app what data format
62 will be used for the messages sent over the network. The
63 default is managed which adds some overhead to ensure each mes‐
64 sage is properly handled on the remote end, and to receive sta‐
65 tus messages from the remote server. If ascii is given instead,
66 each message is a simple ASCII text line with no overhead at
67 all. If mode is set to forward, format must be managed.
68 network_retry_time
70 The time, in seconds, between retries when a network error is
71 detected. Note that this pause applies starting after the sec‐
72 ond attempt, so as to avoid unneeded delays if a reconnect is
73 sufficient to fix the problem. The default is 1 second.
74 max_tries_per_record
76 The maximum number of times an attempt is made to deliver each
77 message. The minimum value is one, as even a completely suc‐
78 cessful delivery requires at least one try. If too many
79 attempts are made, the network_failure_action action is per‐
80 formed. The default is 3.
81 max_time_per_record
83 The maximum amount of time, in seconds, spent attempting to
84 deliver each message. Note that both this and
85 max_tries_per_record should be set, as each try may take a long
86 time to time out. The default value is 5 seconds. If too much
87 time is used on a message, the network_failure_action action is
88 performed.
89 heartbeat_timeout
91 This parameter determines how often in seconds the client should
92 send a heartbeat event to the remote server. This is used to let
93 both the client and server know that each end is alive and has
94 not terminated in a way that it did not shutdown the connection
95 uncleanly. This value must be coordinated with the server's
96 tcp_client_max_idle setting. The default value is 0 which dis‐
97 ables sending a heartbeat.
98 network_failure_action
100 This parameter tells the system what action to take whenever
101 there is an error detected when sending audit events to the
102 remote system. Valid values are ignore, syslog, exec, warn_once,
103 suspend, single, halt, and stop. If set to ignore, the remote
104 logging app does nothing. If an event was sent, its dequeued.
105 Syslog means that it will issue a warning to syslog. If an event
106 was sent, its dequeued. This is the default. exec /path-to-
107 script will execute the script. You cannot pass parameters to
108 the script. If an event was sent, its dequeued. warn_once_con‐
109 tinue is like syslog execept that only one message is put in
110 syslog until an event is successfully transferred. warn_once is
111 like warn_once_continue execept that the event is not dequeued.
112 Suspend will cause the remote logging app to stop sending
113 records to the remote system. The logging app will still be
114 alive. If an event was sent, it is not dequeued. The single
115 option will cause the remote logging app to put the computer
116 system in single user mode. If an event was sent, it is not
117 dequeued. The stop option will cause the remote logging app to
118 exit, but leave other plugins running. If an event was sent, it
119 is not dequeued. The halt option will cause the remote logging
120 app to shutdown the computer system. If an event was sent, it is
121 not dequeued. The default is to stop.
122 disk_low_action
124 Likewise, this parameter tells the system what action to take if
125 the remote end signals a disk low error. The default is ignore.
126 disk_full_action
128 Likewise, this parameter tells the system what action to take if
129 the remote end signals a disk full error. The default is
130 warn_once.
131 disk_error_action
133 Likewise, this parameter tells the system what action to take if
134 the remote end signals a disk error. The default is warn_once.
135 remote_ending_action
137 Likewise, this parameter tells the system what action to take if
138 the network connection is lost. This action has one additional
139 option, reconnect which tells the remote plugin to attempt to
140 reconnect to the server upon receipt of the next audit record.
141 If an event was being sent when something triggered this action,
142 it is not dequeued. If it is unsuccessful in reconnecting, the
143 audit record could be lost. The default is to reconnect.
144 generic_error_action
146 Likewise, this parameter tells the system what action to take if
147 the remote end signals an error we don't recognize. The default
148 is to log it to syslog.
149 generic_warning_action
151 Likewise, this parameter tells the system what action to take if
152 the remote end signals a warning we don't recognize. The
153 default is to log it to syslog.
154 queue_error_action
156 Likewise, this parameter tells the system what action to take if
157 there is a problem working with a local record queue. The
158 default is stop.
159 overflow_action
161 This parameter tells the system what action to take if the
162 internal event queue overflows. Valid values are ignore, syslog,
163 suspend, single, and halt . If set to ignore, the remote log‐
164 ging app does nothing. Syslog means that it will issue a warn‐
165 ing to syslog. This is the default. Suspend will cause the
166 remote logging app to stop sending records to the remote system.
167 The logging app will still be alive. The single option will
168 cause the remote logging app to put the computer system in sin‐
169 gle user mode. The halt option will cause the remote logging app
170 to shutdown the computer system.
171 enable_krb5
173 This option is deprecated. Use the transport option to enable
174 Kerberos support. If this option follows the transport configu‐
175 ration option, it will override the transport setting. This
176 would be the normal expected behavior for backwards compatibil‐
177 ity. If set to yes, Kerberos 5 will be used for authentication
178 and encryption. Default is no. Note that encryption can only
179 be used with managed connections, not plain ASCII.
180 krb5_principal
182 If specified, This is the expected principal for the server.
183 The client and server will use the specified principal to nego‐
184 tiate the encryption. The format for the krb5_principal is like
185 somename/hostname, see the auditd.conf man page for details. If
186 not specified, the krb5_client_name and remote_server values are
187 used.
188 krb5_client_name
190 This specifies the name portion of the client's own principal.
191 If unspecified, the default is "auditd". The remainder of the
192 principal will consist of the host's fully qualified domain name
193 and the default Kerberos realm, like this: auditd/host14.exam‐
194 ple.com@EXAMPLE.COM (assuming you gave "auditd" as the
195 krb_client_name). Note that the client and server must have the
196 same principal name and realm.
197 krb5_key_file
199 Location of the key for this client's principal. Note that the
200 key file must be owned by root and mode 0400. The default is
201 /etc/audisp/audisp-remote.key
202
206 Specifying a local port may make it difficult to restart the audit sub‐
207 system due to the previous connection being in a TIME_WAIT state, if
208 you're reconnecting to and from the same hosts and ports as before.
209 The network failure logic works as follows: The first attempt to
211 deliver normally "just works". If it doesn't, a second attempt is
212 immediately made, perhaps after reconnecting to the server. If the
213 second attempt also fails, audispd-remote pauses for the configured
214 time and tries again. It continues to pause and retry until either too
215 many attempts have been made or the allowed time expires. Note that
216 these times govern the maximum amount of time the remote server is
217 allowed in order to reboot, if you want to maintain logging across a
218 reboot.
219
222 audispd(8), audisp-remote(8), auditd.conf(5).
223
225 Steve Grubb
226Red Hat Aug 2018 AUDISP-REMOTE.CONF:(5)