audisp-remote

AUDISP-REMOTE:(8)       System Administration Utilities      AUDISP-REMOTE:(8)



NAME
       audisp-remote - plugin for remote logging

SYNOPSIS
       audisp-remote

DESCRIPTION
       audisp-remote is a plugin for the audit event dispatcher daemon,
       audispd, that preforms remote logging to an aggregate logging server.


TIPS
       If you are aggregating multiple machines, you should enable node
       information and enriched events in the audit event stream. You can do
       this in one of two places. If you want computer node names written to
       disk as well as sent in the realtime event stream, edit the name_format
       option in /etc/audit/auditd.conf. This is the best option for enriched
       events. If you only want the node names in the realtime event stream,
       then edit the name_format option in /etc/audisp/audispd.conf. Do not
       enable both as it will put 2 node fields in the event stream.


SIGNALS
       SIGUSR1
              Causes the audisp-remote program to write the value of some of
              its internal flags to syslog. The suspend flag tells whether or
              not logging has been suspended. The remote_ended flage tells if
              the connection was broken by the server saying it can't log
              events. The transport_ok flag tells whether or not the
              connection to the remote server is healthy. The queue_size tells
              how many records are enqueued to be sent to the remote server.

       SIGUSR2
              Causes the audisp-remote program to resume logging if it were
              suspended due to an error.


FILES
       /etc/audisp/plugins.d/au-remote.conf, /etc/audit/auditd.conf,
       /etc/audisp/audispd.conf, /etc/audisp/audisp-remote.conf

SEE ALSO
       audispd(8), auditd.conf(8), audispd.conf(8), audisp-remote.conf(5).

AUTHOR
       Steve Grubb



Red Hat                            July 2016                 AUDISP-REMOTE:(8)