Audit Dispatcher Plugin not working.

General support questions
Post Reply
mehmetmirac
Posts: 11
Joined: 2022/03/31 06:37:43

Audit Dispatcher Plugin not working.

Post by mehmetmirac » 2023/03/21 12:26:30

Hi expert :)

I wanted to learn how Audit Dispatcher (audisp) works but I couldn't.

I have two virtual machines. One of them is admin and the other is app. To use audisp I set the configs on my app machine like this:

1. /etc/audisp/audisp-remote.conf:

Code: Select all

remote_server = <ADMIN IP>
port = 60
local_port = 60
transport = tcp
mode = immediate
queue_depth = 200
format = managed
2. /etc/audisp/plugins.d/au-remote.conf

Code: Select all

active = yes
direction = out
path = /sbin/audisp-remote
type = always
args = /etc/audisp/audisp-remote.conf
format = string
3. /etc/audit/auditd.conf

Code: Select all

local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = RAW
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
MicrosoftTeams-image (1).png
MicrosoftTeams-image (1).png (25.86 KiB) Viewed 1940 times
This is how the configurations are set. But where could I be doing wrong? Why is audisp not working. Or it works but I can't see it. If audisp is running, why can't I see the outputs of the audit rules I wrote on my admin machine? How can I see the audit logs I forwarded? I will be grateful if you could help me :)

Post Reply