Provided by: audispd-plugins_1.7.11-1ubuntu1_i386 bug

NAME

       audisp-remote.conf - the audisp-remote configuration file

DESCRIPTION

       audisp-remote.conf  is  the file that controls the configuration of the
       audit remote logging subsystem. The options that are available  are  as
       follows:

       remote_server
              This  is  a  one word character string that is the remote server
              hostname or address that this daemon will send  log  information
              to. This can be the numeric address or a resolvable hostname.

       port   This  option  is an unsigned integer that indicates what port to
              connect to on the remote machine.

       local_port
              This option is an unsigned integer  that  indicates  what  local
              port  to connect from on the local machine.  If unspecified (the
              default) or set to the word any then any available unpriviledged
              port  is used. This is a security mechanism to prevent untrusted
              user space apps from injecting events into the audit daemon. You
              should  set  it  to  an  unused  port < 1024 to ensure that only
              privileged users can bind  to  that  port.  Then  also  set  the
              tcp_client_ports  in  the  aggregating auditd.conf file to match
              the ports that clients are sending from.

       transport
              This parameter tells the remote logging app how to  send  events
              to the remote system. The only valid value right now is tcp.  If
              set to tcp, the remote logging app will just make a normal clear
              text  connection  to  the  remote  system.  This  is not used if
              kerberos is enabled.

       mode   This parameter tells the remote logging app what strategy to use
              getting   records   to  the  remote  system.  Valid  values  are
              immediate, and forward  .   If  set  to  immediate,  the  remote
              logging  app  will  attempt  to  send  events  immediately after
              getting them.  forward , which is  not  implemented  yet,  means
              that  it  will store the events to disk and then attempt to send
              the records. If the connection cannot be  made,  it  will  queue
              records  until it can connection to the remote system. The depth
              of the queue is controlled by the queue_depth option.

       queue_depth
              This option is an unsigned  integer  that  determines  how  many
              records  can  be  buffered to disk before considering it to be a
              failure sending. This parameter only affects the forward mode of
              the mode option. The default depth is 20.

       format This  parameter  tells  the  remote logging app what data format
              will be used for  the  messages  sent  over  the  network.   The
              default  is  managed  which  adds  some  overhead to ensure each
              message is properly handled on the remote end,  and  to  receive
              status  messages  from  the  remote  server.   If ascii is given
              instead, each message is  a  simple  ASCII  text  line  with  no
              overhead at all.

       network_retry_time
              The  time,  in  seconds, between retries when a network error is
              detected.  Note that  this  pause  applies  starting  after  the
              second attempt, so as to avoid unneeded delays if a reconnect is
              sufficient to fix the problem.  The default is 1 second.

       max_tries_per_record
              The maximum number of times an attempt is made to  deliver  each
              message.   The  minimum  value  is  one,  as  even  a completely
              successful delivery requires at least  one  try.   If  too  many
              attempts   are   made,   the  network_failure_action  action  is
              performed.  The default is 3.

       max_time_per_record
              The maximum amount of time,  in  seconds,  spent  attempting  to
              deliver    each    message.     Note    that   both   this   and
              max_tries_per_record should be set, as each try may take a  long
              time  to time out.  The default value is 5 seconds.  If too much
              time is used on a message, the network_failure_action action  is
              performed.

       heartbeat_timeout
              This parameter determines how often in seconds the client should
              send a heartbeat event to the remote server. This is used to let
              both  the  client and server know that each end is alive and has
              not terminated in a way that it did not shutdown the  connection
              uncleanly.  This  value  must  be  coordinated with the server’s
              tcp_client_max_idle  setting.  The  default  value  is  0  which
              disables sending a heartbeat.

       network_failure_action
              This  parameter  tells  the  system what action to take whenever
              there is an error detected when  sending  audit  events  to  the
              remote  system.  Valid values are ignore, syslog, exec, suspend,
              single, halt, and stop.  If set to ignore, the audit daemon does
              nothing.   Syslog  means that it will issue a warning to syslog.
              This is the default.   exec  /path-to-script  will  execute  the
              script.  You cannot pass parameters to the script.  Suspend will
              cause the remote logging app to  stop  sending  records  to  the
              remote  system.  The logging app will still be alive. The single
              option will cause the remote logging app  to  put  the  computer
              system  in  single  user  mode.  The  stop option will cause the
              remote logging app to exit, but leave other plugins running. The
              halt  option  will  cause the remote logging app to shutdown the
              computer system.

       disk_low_action
              Likewise, this parameter tells the system what action to take if
              the  remote  end  signals  a  disk low error.  The default is to
              ignore it.

       disk_full_action
              Likewise, this parameter tells the system what action to take if
              the  remote  end  signals  a disk full error.  The default is to
              ignore it.

       disk_error_action
              Likewise, this parameter tells the system what action to take if
              the  remote  end signals a disk error.  The default is to log it
              to syslog.

       remote_ending_action
              Likewise, this parameter tells the system what action to take if
              the  remote  end  signals  a  disk  error.  This  action has one
              additional option, reconnect which tells the  remote  plugin  to
              attempt  to  reconnect  to  the  server upon receipt of the next
              audit record. If it is unsuccessful, the audit record  could  be
              lost. The default is to suspend logging.

       generic_error_action
              Likewise, this parameter tells the system what action to take if
              the remote end signals an error we don’t recognize.  The default
              is to log it to syslog.

       generic_warning_action
              Likewise, this parameter tells the system what action to take if
              the remote end  signals  a  warning  we  don’t  recognize.   The
              default is to log it to syslog.

       enable_krb5
              If  set to "yes", Kerberos 5 will be used for authentication and
              encryption.  Default is "no".  Note that encryption can only  be
              used with managed connections, not plain ASCII.

       krb5_principal
              If  specified,  This  is  the expected principal for the server.
              The client and  server  will  use  the  specified  principal  to
              negotiate  the encryption.  The format for the krb5_principal is
              like  somename/hostname,  see  the  auditd.conf  man  page   for
              details.    If   not   specified,   the   krb5_client_name   and
              remote_server values are used.

       krb5_client_name
              This specifies the name portion of the client’s  own  principal.
              If  unspecified,  the default is "auditd".  The remainder of the
              principal will consist of the host’s fully qualified domain name
              and     the     default     Kerberos     realm,    like    this:
              auditd/host14.example.com@EXAMPLE.COM   (assuming    you    gave
              "auditd"  as  the  krb_client_name).   Note  that the client and
              server must have the same principal name and realm.

       krb5_key_file
              Location of the key for this client’s principal.  Note that  the
              key  file  must  be owned by root and mode 0400.  The default is
              /etc/audisp/audisp-remote.key

NOTES

       Specifying a local port may make it  difficult  to  restart  the  audit
       subsystem due to the previous connection being in a TIME_WAIT state, if
       you’re reconnecting to and from the same hosts and ports as before.

       The network failure logic  works  as  follows:  The  first  attempt  to
       deliver  normally  "just  works".   If  it doesn’t, a second attempt is
       immediately made, perhaps after reconnecting to  the  server.   If  the
       second  attempt  also  fails,  audispd-remote pauses for the configured
       time and tries again.  It continues to pause and retry until either too
       many  attempts  have  been made or the allowed time expires.  Note that
       these times govern the maximum amount of  time  the  remote  server  is
       allowed  in  order  to reboot, if you want to maintain logging across a
       reboot.

SEE ALSO

       audispd(8), audisp-remote(8), auditd.conf(5).

AUTHOR

       Steve Grubb