audisp-remote.conf man page on YellowDog

Man page or keyword search:  
man Server   18644 pages
apropos Keyword Search (all sections)
Output format
YellowDog logo
[printable version]

AUDISP-REMOTE.CONF:(5)	System Administration Utilities AUDISP-REMOTE.CONF:(5)

NAME
       audisp-remote.conf - the audisp-remote configuration file

DESCRIPTION
       audisp-remote.conf  is  the file that controls the configuration of the
       audit remote logging subsystem. The options that are available  are  as
       follows:

       remote_server
	      This  is	a  one word character string that is the remote server
	      hostname or address that this daemon will send  log  information
	      to. This can be the numeric address or a resolvable hostname.

       port   This  option  is an unsigned integer that indicates what port to
	      connect to on the remote machine.

       local_port
	      This option is an unsigned integer  that	indicates  what	 local
	      port  to connect from on the local machine.  If unspecified (the
	      default) or set to the word any then any available unpriviledged
	      port is used.

       transport
	      This  parameter  tells the remote logging app how to send events
	      to the remote system. Valid values are tcp, and ssl.  If set  to
	      tcp,  the	 remote logging app will just make a normal clear text
	      connection to the remote system.	ssl means that it will open an
	      encrypted connection to the remote system.

       mode   This parameter tells the remote logging app what strategy to use
	      getting records to the remote system. Valid values  are  immedi‐
	      ate,  and forward .  If set to immediate, the remote logging app
	      will attempt to send  events  immediately	 after	getting	 them.
	      forward  means  that  it	will store the events to disk and then
	      attempt to send the records. If the connection cannot  be	 made,
	      it will queue records until it can connection to the remote sys‐
	      tem. The depth of the queue is  controlled  by  the  queue_depth
	      option.

       queue_depth
	      This  option  is	an  unsigned  integer that determines how many
	      records can be buffered to disk before considering it  to	 be  a
	      failure sending. This parameter only affects the forward mode of
	      the mode option. The default depth is 20.

       format This parameter tells the remote logging  app  what  data	format
	      will  be	used  for  the	messages  sent	over the network.  The
	      default is managed which adds some overhead to ensure each  mes‐
	      sage  is properly handled on the remote end, and to receive sta‐
	      tus messages from the remote server.  If ascii is given instead,
	      each  message  is	 a  simple ASCII text line with no overhead at
	      all.

       network_retry_time
	      The time, in seconds, between retries when a  network  error  is
	      detected.	  Note that this pause applies starting after the sec‐
	      ond attempt, so as to avoid unneeded delays if  a	 reconnect  is
	      sufficient to fix the problem.  The default is 1 second.

       max_tries_per_record
	      The  maximum  number of times an attempt is made to deliver each
	      message.	The minimum value is one, as even  a  completely  suc‐
	      cessful  delivery	 requires  at  least  one  try.	  If  too many
	      attempts are made, the  network_failure_action  action  is  per‐
	      formed.  The default is 3.

       max_time_per_record
	      The  maximum  amount  of	time,  in seconds, spent attempting to
	      deliver	each   message.	   Note	   that	   both	   this	   and
	      max_tries_per_record  should be set, as each try may take a long
	      time to time out.	 The default value is 5 seconds.  If too  much
	      time  is used on a message, the network_failure_action action is
	      performed.

       network_failure_action
	      This parameter tells the system what  action  to	take  whenever
	      there  is	 an  error  detected  when sending audit events to the
	      remote system. Valid values are ignore, syslog,  exec,  suspend,
	      single, halt, and stop.  If set to ignore, the audit daemon does
	      nothing.	Syslog means that it will issue a warning  to  syslog.
	      This  is	the  default.	exec  /path-to-script will execute the
	      script. You cannot pass parameters to the script.	 Suspend  will
	      cause  the  remote  logging  app	to stop sending records to the
	      remote system. The logging app will still be alive.  The	single
	      option  will  cause  the	remote logging app to put the computer
	      system in single user mode.  The	stop  option  will  cause  the
	      remote logging app to exit, but leave other plugins running. The
	      halt option will cause the remote logging app  to	 shutdown  the
	      computer system.

       disk_low_action
	      Likewise, this parameter tells the system what action to take if
	      the remote end signals a disk low	 error.	  The  default	is  to
	      ignore it.

       disk_full_action
	      Likewise, this parameter tells the system what action to take if
	      the remote end signals a disk full error.	  The  default	is  to
	      ignore it.

       disk_error_action
	      Likewise, this parameter tells the system what action to take if
	      the remote end signals a disk error.  The default is to  log  it
	      to syslog.

       remote_ending_action
	      Likewise, this parameter tells the system what action to take if
	      the remote end signals a disk error.  The default is to  suspend
	      logging.

       generic_error_action
	      Likewise, this parameter tells the system what action to take if
	      the remote end signals an error we don't recognize.  The default
	      is to log it to syslog.

       generic_warning_action
	      Likewise, this parameter tells the system what action to take if
	      the remote end  signals  a  warning  we  don't  recognize.   The
	      default is to log it to syslog.

       enable_krb5
	      If  set to "yes", Kerberos 5 will be used for authentication and
	      encryption.  Default is "no".  Note that encryption can only  be
	      used with managed connections, not plain ASCII.

       krb5_principal
	      If  specified,  This  is	the expected principal for the server.
	      The client and server will use the specified principal to	 nego‐
	      tiate the encryption.  The format for the krb5_principal is like
	      somename/hostname, see the auditd.conf man page for details.  If
	      not specified, the krb5_client_name and remote_server values are
	      used.

       krb5_client_name
	      This specifies the name portion of the client's  own  principal.
	      If  unspecified,	the default is "auditd".  The remainder of the
	      principal will consist of the host's fully qualified domain name
	      and  the	default Kerberos realm, like this: auditd/host14.exam‐
	      ple.com@EXAMPLE.COM  (assuming  you   gave   "auditd"   as   the
	      krb_client_name).	 Note that the client and server must have the
	      same principal name and realm.

       krb5_key_file
	      Location of the key for this client's principal.	Note that  the
	      key  file	 must  be owned by root and mode 0400.	The default is
	      /etc/audisp/audisp-remote.key

NOTES
       Specifying a local port may make it difficult to restart the audit sub‐
       system  due  to	the previous connection being in a TIME_WAIT state, if
       you're reconnecting to and from the same hosts and ports as before.

       The network failure logic  works	 as  follows:  The  first  attempt  to
       deliver	normally  "just	 works".   If  it doesn't, a second attempt is
       immediately made, perhaps after reconnecting to	the  server.   If  the
       second  attempt	also  fails,  audispd-remote pauses for the configured
       time and tries again.  It continues to pause and retry until either too
       many  attempts  have  been made or the allowed time expires.  Note that
       these times govern the maximum amount of	 time  the  remote  server  is
       allowed	in  order  to reboot, if you want to maintain logging across a
       reboot.

SEE ALSO
       audispd(8), audisp-remote(8).

AUTHOR
       Steve Grubb

Red Hat				   Mar 2008		AUDISP-REMOTE.CONF:(5)
[top]

List of man pages available for YellowDog

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net