audisp-remote.conf(5)


NAME

   audisp-remote.conf - the audisp-remote configuration file

DESCRIPTION

   audisp-remote.conf  is  the file that controls the configuration of the
   audit remote logging subsystem. The options that are available  are  as
   follows:

   remote_server
          This  is  a  one word character string that is the remote server
          hostname or address that this plugin will send  log  information
          to. This can be the numeric address or a resolvable hostname.

   port   This  option  is an unsigned integer that indicates what port to
          connect to on the remote machine.

   local_port
          This option is an unsigned integer  that  indicates  what  local
          port  to connect from on the local machine.  If unspecified (the
          default) or set to the word any then any available unpriviledged
          port  is used. This is a security mechanism to prevent untrusted
          user space apps from injecting events into the audit daemon. You
          should  set  it  to  an  unused  port < 1024 to ensure that only
          privileged users can bind  to  that  port.  Then  also  set  the
          tcp_client_ports  in  the  aggregating auditd.conf file to match
          the ports that clients are sending from.

   transport
          This parameter tells the remote logging app how to  send  events
          to the remote system. The only valid value right now is tcp.  If
          set to tcp, the remote logging app will just make a normal clear
          text  connection  to  the  remote  system.  This  is not used if
          kerberos is enabled.

   mode   This parameter tells the remote logging app what strategy to use
          getting   records   to  the  remote  system.  Valid  values  are
          immediate, and forward  .   If  set  to  immediate,  the  remote
          logging  app  will  attempt  to  send  events  immediately after
          getting them.  forward means that it will store  the  events  to
          disk  and  then  attempt  to send the records. If the connection
          cannot be made, it will queue records until it  can  connect  to
          the  remote  system. The depth of the queue is controlled by the
          queue_depth option.

   queue_file
          Path of a file used for the  event  queue  if  mode  is  set  to
          forward.  The default is /var/spool/audit/remote.log.

   queue_depth
          This  option  is  an  unsigned  integer that determines how many
          records can be buffered to disk or in memory before  considering
          it  to  be a failure sending. This parameter affects the forward
          mode of the mode option  and  internal  queueing  for  temporary
          network outtages. The default depth is 2048.

   format This  parameter  tells  the  remote logging app what data format
          will be used for  the  messages  sent  over  the  network.   The
          default  is  managed  which  adds  some  overhead to ensure each
          message is properly handled on the remote end,  and  to  receive
          status  messages  from  the  remote  server.   If ascii is given
          instead, each message is  a  simple  ASCII  text  line  with  no
          overhead  at  all.   If  mode  is set to forward, format must be
          managed.

   network_retry_time
          The time, in seconds, between retries when a  network  error  is
          detected.   Note  that  this  pause  applies  starting after the
          second attempt, so as to avoid unneeded delays if a reconnect is
          sufficient to fix the problem.  The default is 1 second.

   max_tries_per_record
          The  maximum  number of times an attempt is made to deliver each
          message.  The  minimum  value  is  one,  as  even  a  completely
          successful  delivery  requires  at  least  one try.  If too many
          attempts  are  made,  the   network_failure_action   action   is
          performed.  The default is 3.

   max_time_per_record
          The  maximum  amount  of  time,  in seconds, spent attempting to
          deliver   each   message.    Note    that    both    this    and
          max_tries_per_record  should be set, as each try may take a long
          time to time out.  The default value is 5 seconds.  If too  much
          time  is used on a message, the network_failure_action action is
          performed.

   heartbeat_timeout
          This parameter determines how often in seconds the client should
          send a heartbeat event to the remote server. This is used to let
          both the client and server know that each end is alive  and  has
          not  terminated in a way that it did not shutdown the connection
          uncleanly. This value must  be  coordinated  with  the  server's
          tcp_client_max_idle  setting.  The  default  value  is  0  which
          disables sending a heartbeat.

   network_failure_action
          This parameter tells the system what  action  to  take  whenever
          there  is  an  error  detected  when sending audit events to the
          remote system. Valid values are ignore, syslog, exec, warn_once,
          suspend,  single,  halt, and stop.  If set to ignore, the remote
          logging app does nothing. If an event was  sent,  its  dequeued.
          Syslog means that it will issue a warning to syslog. If an event
          was sent, its dequeued. This is  the  default.   exec  /path-to-
          script  will  execute  the script. You cannot pass parameters to
          the   script.   If   an   event   was   sent,   its    dequeued.
          warn_once_continue  is like syslog execept that only one message
          is put in syslog until an  event  is  successfully  transferred.
          warn_once  is  like warn_once_continue execept that the event is
          not dequeued.  Suspend will cause the remote logging app to stop
          sending records to the remote system. The logging app will still
          be alive. If an event was sent, it is not dequeued.  The  single
          option  will  cause  the  remote logging app to put the computer
          system in single user mode. If an event  was  sent,  it  is  not
          dequeued.  The  stop option will cause the remote logging app to
          exit, but leave other plugins running. If an event was sent,  it
          is  not  dequeued. The halt option will cause the remote logging
          app to shutdown the computer system. If an event was sent, it is
          not dequeued. The default is to stop.

   disk_low_action
          Likewise, this parameter tells the system what action to take if
          the remote end signals a disk low error.  The default is ignore.

   disk_full_action
          Likewise, this parameter tells the system what action to take if
          the  remote  end  signals  a  disk  full  error.  The default is
          warn_once.

   disk_error_action
          Likewise, this parameter tells the system what action to take if
          the remote end signals a disk error.  The default is warn_once.

   remote_ending_action
          Likewise, this parameter tells the system what action to take if
          the remote end  signals  a  disk  error.  This  action  has  one
          additional  option,  reconnect  which tells the remote plugin to
          attempt to reconnect to the server  upon  receipt  of  the  next
          audit  record.  If  an  event  was  being  sent  when  something
          triggered this action, it is not dequeued. If it is unsuccessful
          in  reconnecting, the audit record could be lost. The default is
          to reconnect.

   generic_error_action
          Likewise, this parameter tells the system what action to take if
          the remote end signals an error we don't recognize.  The default
          is to log it to syslog.

   generic_warning_action
          Likewise, this parameter tells the system what action to take if
          the  remote  end  signals  a  warning  we  don't recognize.  The
          default is to log it to syslog.

   queue_error_action
          Likewise, this parameter tells the system what action to take if
          there  is  a  problem  working  with  a local record queue.  The
          default is stop.

   overflow_action
          This parameter tells the system  what  action  to  take  if  the
          internal event queue overflows. Valid values are ignore, syslog,
          suspend, single, and halt  .   If  set  to  ignore,  the  remote
          logging  app  does  nothing.   Syslog means that it will issue a
          warning to syslog.  This is the default.  Suspend will cause the
          remote logging app to stop sending records to the remote system.
          The logging app will still be  alive.  The  single  option  will
          cause  the  remote  logging  app  to  put the computer system in
          single user mode. The halt option will cause the remote  logging
          app to shutdown the computer system.

   enable_krb5
          If  set to "yes", Kerberos 5 will be used for authentication and
          encryption.  Default is "no".  Note that encryption can only  be
          used with managed connections, not plain ASCII.

   krb5_principal
          If  specified,  This  is  the expected principal for the server.
          The client and  server  will  use  the  specified  principal  to
          negotiate  the encryption.  The format for the krb5_principal is
          like  somename/hostname,  see  the  auditd.conf  man  page   for
          details.    If   not   specified,   the   krb5_client_name   and
          remote_server values are used.

   krb5_client_name
          This specifies the name portion of the client's  own  principal.
          If  unspecified,  the default is "auditd".  The remainder of the
          principal will consist of the host's fully qualified domain name
          and     the     default     Kerberos     realm,    like    this:
          auditd/host14.example.com@EXAMPLE.COM   (assuming    you    gave
          "auditd"  as  the  krb_client_name).   Note  that the client and
          server must have the same principal name and realm.

   krb5_key_file
          Location of the key for this client's principal.  Note that  the
          key  file  must  be owned by root and mode 0400.  The default is
          /etc/audisp/audisp-remote.key

NOTES

   Specifying a local port may make it  difficult  to  restart  the  audit
   subsystem due to the previous connection being in a TIME_WAIT state, if
   you're reconnecting to and from the same hosts and ports as before.

   The network failure logic  works  as  follows:  The  first  attempt  to
   deliver  normally  "just  works".   If  it doesn't, a second attempt is
   immediately made, perhaps after reconnecting to  the  server.   If  the
   second  attempt  also  fails,  audispd-remote pauses for the configured
   time and tries again.  It continues to pause and retry until either too
   many  attempts  have  been made or the allowed time expires.  Note that
   these times govern the maximum amount of  time  the  remote  server  is
   allowed  in  order  to reboot, if you want to maintain logging across a
   reboot.

SEE ALSO

   audispd(8), audisp-remote(8), auditd.conf(5).

AUTHOR

   Steve Grubb





Opportunity


Personal Opportunity - Free software gives you access to billions of dollars of software at no cost. Use this software for your business, personal use or to develop a profitable skill. Access to source code provides access to a level of capabilities/information that companies protect though copyrights. Open source is a core component of the Internet and it is available to you. Leverage the billions of dollars in resources and capabilities to build a career, establish a business or change the world. The potential is endless for those who understand the opportunity.

Business Opportunity - Goldman Sachs, IBM and countless large corporations are leveraging open source to reduce costs, develop products and increase their bottom lines. Learn what these companies know about open source and how open source can give you the advantage.





Free Software


Free Software provides computer programs and capabilities at no cost but more importantly, it provides the freedom to run, edit, contribute to, and share the software. The importance of free software is a matter of access, not price. Software at no cost is a benefit but ownership rights to the software and source code is far more significant.


Free Office Software - The Libre Office suite provides top desktop productivity tools for free. This includes, a word processor, spreadsheet, presentation engine, drawing and flowcharting, database and math applications. Libre Office is available for Linux or Windows.





Free Books


The Free Books Library is a collection of thousands of the most popular public domain books in an online readable format. The collection includes great classical literature and more recent works where the U.S. copyright has expired. These books are yours to read and use without restrictions.


Source Code - Want to change a program or know how it works? Open Source provides the source code for its programs so that anyone can use, modify or learn how to write those programs themselves. Visit the GNU source code repositories to download the source.





Education


Study at Harvard, Stanford or MIT - Open edX provides free online courses from Harvard, MIT, Columbia, UC Berkeley and other top Universities. Hundreds of courses for almost all major subjects and course levels. Open edx also offers some paid courses and selected certifications.


Linux Manual Pages - A man or manual page is a form of software documentation found on Linux/Unix operating systems. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.