audisp-remote - plugin for remote logging
is a plugin for the audit event dispatcher daemon, audispd,
that preforms remote logging to an aggregate logging server.
If you are aggregating multiple machines, you should enable node information and
enriched events in the audit event stream. You can do this in one of two
places. If you want computer node names written to disk as well as sent in the
realtime event stream, edit the name_format option in /etc/audit/auditd.conf.
This is the best option for enriched events. If you only want the node names
in the realtime event stream, then edit the name_format option in
/etc/audisp/audispd.conf. Do not enable both as it will put 2 node fields in
the event stream.
- Causes the audisp-remote program to write the value of some
of its internal flags to syslog. The suspend flag tells whether or
not logging has been suspended. The remote_ended flage tells if the
connection was broken by the server saying it can't log events. The
transport_ok flag tells whether or not the connection to the remote
server is healthy. The queue_size tells how many records are
enqueued to be sent to the remote server.
- Causes the audisp-remote program to resume logging if it
were suspended due to an error.
(8), auditd.conf(8), audispd.conf(8),