audisp-remote(8)

NAME

   audisp-remote - plugin for remote logging

SYNOPSIS

   audisp-remote

DESCRIPTION

   audisp-remote  is  a  plugin  for  the  audit  event dispatcher daemon,
   audispd, that preforms remote logging to an aggregate logging server.

TIPS

   If you are  aggregating  multiple  machines,  you  should  enable  node
   information  and  enriched events in the audit event stream. You can do
   this in one of two places. If you want computer node names  written  to
   disk as well as sent in the realtime event stream, edit the name_format
   option in /etc/audit/auditd.conf. This is the best option for  enriched
   events.  If  you only want the node names in the realtime event stream,
   then edit the name_format option in  /etc/audisp/audispd.conf.  Do  not
   enable both as it will put 2 node fields in the event stream.

SIGNALS

   SIGUSR1
          Causes  the  audisp-remote program to write the value of some of
          its internal flags to syslog. The suspend flag tells whether  or
          not  logging has been suspended. The remote_ended flage tells if
          the connection was broken by the  server  saying  it  can't  log
          events.   The   transport_ok  flag  tells  whether  or  not  the
          connection to the remote server is healthy. The queue_size tells
          how many records are enqueued to be sent to the remote server.

   SIGUSR2
          Causes  the  audisp-remote  program to resume logging if it were
          suspended due to an error.

FILES

   /etc/audisp/plugins.d/au-remote.conf,           /etc/audit/auditd.conf,
   /etc/audisp/audispd.conf, /etc/audisp/audisp-remote.conf

SEE ALSO

   audispd(8), auditd.conf(8), audispd.conf(8), audisp-remote.conf(5).

AUTHOR

   Steve Grubb

---

Free and Open Source Software