Skip to content

Sending logs over network

Jump to bottom Edit New page
Mateusz Piotrowski edited this page Aug 22, 2016 · 1 revision

This is a documentation describing how to configure a Linux based system to send logs by to auditdistd(8) on FreeBSD.

Sender (Linux)

Configure audisp-remote

There is a tool called audisp-remote which allows Linux Audit events to be sent to a remote server.

Its configuration file is /etc/audisp/audisp-remote.conf. It might look like this:

remote_server = 10.0.0.1
port = 514
transport = tcp

if there is a server 10.0.0.1 listening on port TCP 514.

Details on The audisp-remote Behaviour

audisp-remote adds a header to every log it sends over pure TCP (I've know nothing about the case when Kerberos is used). The header's size is 16-byte. The first 4 bytes are a magic number fe0000ff. Then the version is added (which is always 0). Then again 0 for mver. Then 6 bytes for the type, 10 bytes for the length and 12 bytes for the sequence number (see audit-userspace/lib/private.h:AUDIT_RMW_PACK_HEADER).

Related

Add a custom footer

FreeBSD

Linux Audit

man

Clone this wiki locally