1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
|
.TH AUDISP-REMOTE.CONF: "5" "Mar 2011" "Red Hat" "System Administration Utilities"
.SH NAME
audisp-remote.conf \- the audisp-remote configuration file
.SH DESCRIPTION
\fBaudisp-remote.conf\fP is the file that controls the configuration of the audit remote logging subsystem. The options that are available are as follows:
.TP
.I remote_server
This is a one word character string that is the remote server hostname or address that this plugin will send log information to. This can be the numeric address or a resolvable hostname.
.TP
.I port
This option is an unsigned integer that indicates what port to connect to on the remote machine.
.TP
.I local_port
This option is an unsigned integer that indicates what local port to
connect from on the local machine. If unspecified (the default) or
set to the word
.I any
then any available unpriviledged port is used. This is a security mechanism to prevent untrusted user space apps from injecting events into the audit daemon. You should set it to an unused port < 1024 to ensure that only privileged users can bind to that port. Then also set the tcp_client_ports in the aggregating auditd.conf file to match the ports that clients are sending from.
.TP
.I transport
This parameter tells the remote logging app how to send events to the remote system. The only valid value right now is
.IR tcp ".
If set to
.IR tcp ,
the remote logging app will just make a normal clear text connection to the remote system. This is not used if kerberos is enabled.
.TP
.I mode
This parameter tells the remote logging app what strategy to use getting records to the remote system. Valid values are
.IR immediate ", and " forward " .
If set to
.IR immediate ,
the remote logging app will attempt to send events immediately after getting them.
.I forward
means that it will store the events to disk and then attempt to send the records. If the connection cannot be made, it will queue records until it can connect to the remote system. The depth of the queue is controlled by the
.I queue_depth
option.
.TP
.I queue_file
Path of a file used for the event queue if
.I mode
is set to \fIforward\fP. The default is \fB/var/spool/audit/remote.log\fP.
.TP
.I queue_depth
This option is an unsigned integer that determines how many records can be buffered to disk or in memory before considering it to be a failure sending. This parameter affects the
.I forward
mode of the
.I mode
option and internal queueing for temporary network outtages. The default depth is 2048.
.TP
.I format
This parameter tells the remote logging app what data format will be
used for the messages sent over the network. The default is
.I managed
which adds some overhead to ensure each message is properly handled on
the remote end, and to receive status messages from the remote server.
If
.I ascii
is given instead, each message is a simple ASCII text line with no
overhead at all. If
.I mode
is set to \fIforward\fP,
.I format
must be \fImanaged\fP.
.TP
.I network_retry_time
The time, in seconds, between retries when a network error is
detected. Note that this pause applies starting after the second
attempt, so as to avoid unneeded delays if a reconnect is sufficient
to fix the problem. The default is 1 second.
.TP
.I max_tries_per_record
The maximum number of times an attempt is made to deliver each
message. The minimum value is one, as even a completely successful
delivery requires at least one try. If too many attempts are made,
the network_failure_action action is performed. The default is 3.
.TP
.I max_time_per_record
The maximum amount of time, in seconds, spent attempting to deliver
each message. Note that both this and
.I max_tries_per_record
should be set, as each try may take a long time to time out. The
default value is 5 seconds. If too much time is used on a message,
the network_failure_action action is performed.
.TP
.I heartbeat_timeout
This parameter determines how often in seconds the client should send a heartbeat event to the remote server. This is used to let both the client and server know that each end is alive and has not terminated in a way that it did not shutdown the connection uncleanly. This value must be coordinated with the server's
.I tcp_client_max_idle
setting. The default value is 0 which disables sending a heartbeat.
.TP
.I network_failure_action
This parameter tells the system what action to take whenever there is an error
detected when sending audit events to the remote system. Valid values are
.IR ignore ", " syslog ", " exec ", " suspend ", " single ", " halt ", and " stop .
If set to
.IR ignore ,
the remote logging app does nothing.
.I Syslog
means that it will issue a warning to syslog. This is the default.
.I exec
/path-to-script will execute the script. You cannot pass parameters to the script.
.I Suspend
will cause the remote logging app to stop sending records to the remote system. The logging app will still be alive. The
.I single
option will cause the remote logging app to put the computer system in single user mode. The
.I stop
option will cause the remote logging app to exit, but leave other plugins running. The
.I halt
option will cause the remote logging app to shutdown the computer system.
.TP
.I disk_low_action
Likewise, this parameter tells the system what action to take if the
remote end signals a disk low error. The default is to ignore it.
.TP
.I disk_full_action
Likewise, this parameter tells the system what action to take if the
remote end signals a disk full error. The default is to ignore it.
.TP
.I disk_error_action
Likewise, this parameter tells the system what action to take if the
remote end signals a disk error. The default is to log it to syslog.
.TP
.I remote_ending_action
Likewise, this parameter tells the system what action to take if the
remote end signals a disk error. This action has one additional option,
.I reconnect
which tells the remote plugin to attempt to reconnect to the server upon receipt of the next audit record. If it is unsuccessful, the audit record could be lost. The default is to reconnect.
.TP
.I generic_error_action
Likewise, this parameter tells the system what action to take if the
remote end signals an error we don't recognize. The default is to log
it to syslog.
.TP
.I generic_warning_action
Likewise, this parameter tells the system what action to take if the
remote end signals a warning we don't recognize. The default is to
log it to syslog.
.TP
.I queue_error_action
Likewise, this parameter tells the system what action to take if there
is a problem working with a local record queue. The default is to exit.
.TP
.I overflow_action
This parameter tells the system what action to take if the
internal event queue overflows. Valid values are
.IR ignore ", " syslog ", " suspend ", " single ", and " halt " .
If set to
.IR ignore ,
the remote logging app does nothing.
.I Syslog
means that it will issue a warning to syslog. This is the default.
.I Suspend
will cause the remote logging app to stop sending records to the remote system. The logging app will still be alive. The
.I single
option will cause the remote logging app to put the computer system in single user mode. The
.I halt
option will cause the remote logging app to shutdown the computer system.
.TP
.I enable_krb5
If set to "yes", Kerberos 5 will be used for authentication and
encryption. Default is "no". Note that encryption can only be used
with managed connections, not plain ASCII.
.TP
.I krb5_principal
If specified, This is the expected principal for the server. The
client and server will use the specified principal to negotiate the
encryption. The format for the
.I krb5_principal
is like somename/hostname, see the auditd.conf man page for
details. If not specified, the krb5_client_name and remote_server values
are used.
.TP
.I krb5_client_name
This specifies the name portion of the client's own principal. If
unspecified, the default is "auditd". The remainder of the principal
will consist of the host's fully qualified domain name and the default
Kerberos realm, like this:
.I auditd/host14.example.com@EXAMPLE.COM
(assuming you gave "auditd" as the krb_client_name). Note that the
client and server must have the same principal name and realm.
.TP
.I krb5_key_file
Location of the key for this client's principal.
Note that the key file must be owned by root and mode 0400.
The default is
.I /etc/audisp/audisp-remote.key
.SH "NOTES"
Specifying a local port may make it difficult to restart the audit
subsystem due to the previous connection being in a TIME_WAIT state,
if you're reconnecting to and from the same hosts and ports as before.
The network failure logic works as follows: The first attempt to
deliver normally "just works". If it doesn't, a second attempt is
immediately made, perhaps after reconnecting to the server. If
the second attempt also fails,
.I audispd-remote
pauses for the configured time and tries again. It continues to pause
and retry until either too many attempts have been made or the allowed
time expires. Note that these times govern the maximum amount of time
the remote server is allowed in order to reboot, if you want to
maintain logging across a reboot.
.SH "SEE ALSO"
.BR audispd (8),
.BR audisp-remote(8),
.BR auditd.conf(5).
.SH AUTHOR
Steve Grubb
|