Provided by: audispd-plugins_1.7.18-1ubuntu1_i386 bug

NAME

       audisp-remote.conf - the audisp-remote configuration file

DESCRIPTION

       audisp-remote.conf  is  the file that controls the configuration of the
       audit remote logging subsystem. The options that are available  are  as
       follows:

       remote_server
              This  is  a  one word character string that is the remote server
              hostname or address that this daemon will send  log  information
              to. This can be the numeric address or a resolvable hostname.

       port   This  option  is an unsigned integer that indicates what port to
              connect to on the remote machine.

       local_port
              This option is an unsigned integer  that  indicates  what  local
              port  to connect from on the local machine.  If unspecified (the
              default) or set to the word any then any available unpriviledged
              port  is used. This is a security mechanism to prevent untrusted
              user space apps from injecting events into the audit daemon. You
              should  set  it  to  an  unused  port < 1024 to ensure that only
              privileged users can bind  to  that  port.  Then  also  set  the
              tcp_client_ports  in  the  aggregating auditd.conf file to match
              the ports that clients are sending from.

       transport
              This parameter tells the remote logging app how to  send  events
              to the remote system. The only valid value right now is tcp.  If
              set to tcp, the remote logging app will just make a normal clear
              text  connection  to  the  remote  system.  This  is not used if
              kerberos is enabled.

       mode   This parameter tells the remote logging app what strategy to use
              getting   records   to  the  remote  system.  Valid  values  are
              immediate, and forward  .   If  set  to  immediate,  the  remote
              logging  app  will  attempt  to  send  events  immediately after
              getting them.  forward , which is  not  implemented  yet,  means
              that  it  will store the events to disk and then attempt to send
              the records. If the connection cannot be  made,  it  will  queue
              records  until it can connection to the remote system. The depth
              of the queue is controlled by the queue_depth option.

       queue_depth
              This option is an unsigned  integer  that  determines  how  many
              records  can be buffered to disk or in memory before considering
              it to be a failure sending. This parameter affects  the  forward
              mode  of  the  mode  option  and internal queueing for temporary
              network outtages. The default depth is 200.

       format This parameter tells the remote logging  app  what  data  format
              will  be  used  for  the  messages  sent  over the network.  The
              default is managed which  adds  some  overhead  to  ensure  each
              message  is  properly  handled on the remote end, and to receive
              status messages from the  remote  server.   If  ascii  is  given
              instead,  each  message  is  a  simple  ASCII  text line with no
              overhead at all.

       network_retry_time
              The time, in seconds, between retries when a  network  error  is
              detected.   Note  that  this  pause  applies  starting after the
              second attempt, so as to avoid unneeded delays if a reconnect is
              sufficient to fix the problem.  The default is 1 second.

       max_tries_per_record
              The  maximum  number of times an attempt is made to deliver each
              message.  The  minimum  value  is  one,  as  even  a  completely
              successful  delivery  requires  at  least  one try.  If too many
              attempts  are  made,  the   network_failure_action   action   is
              performed.  The default is 3.

       max_time_per_record
              The  maximum  amount  of  time,  in seconds, spent attempting to
              deliver   each   message.    Note    that    both    this    and
              max_tries_per_record  should be set, as each try may take a long
              time to time out.  The default value is 5 seconds.  If too  much
              time  is used on a message, the network_failure_action action is
              performed.

       heartbeat_timeout
              This parameter determines how often in seconds the client should
              send a heartbeat event to the remote server. This is used to let
              both the client and server know that each end is alive  and  has
              not  terminated in a way that it did not shutdown the connection
              uncleanly. This value must  be  coordinated  with  the  server's
              tcp_client_max_idle  setting.  The  default  value  is  0  which
              disables sending a heartbeat.

       network_failure_action
              This parameter tells the system what  action  to  take  whenever
              there  is  an  error  detected  when sending audit events to the
              remote system. Valid values are ignore, syslog,  exec,  suspend,
              single, halt, and stop.  If set to ignore, the audit daemon does
              nothing.  Syslog means that it will issue a warning  to  syslog.
              This  is  the  default.   exec  /path-to-script will execute the
              script. You cannot pass parameters to the script.  Suspend  will
              cause  the  remote  logging  app  to stop sending records to the
              remote system. The logging app will still be alive.  The  single
              option  will  cause  the  remote logging app to put the computer
              system in single user mode.  The  stop  option  will  cause  the
              remote logging app to exit, but leave other plugins running. The
              halt option will cause the remote logging app  to  shutdown  the
              computer system.

       disk_low_action
              Likewise, this parameter tells the system what action to take if
              the remote end signals a disk low  error.   The  default  is  to
              ignore it.

       disk_full_action
              Likewise, this parameter tells the system what action to take if
              the remote end signals a disk full error.   The  default  is  to
              ignore it.

       disk_error_action
              Likewise, this parameter tells the system what action to take if
              the remote end signals a disk error.  The default is to  log  it
              to syslog.

       remote_ending_action
              Likewise, this parameter tells the system what action to take if
              the remote end  signals  a  disk  error.  This  action  has  one
              additional  option,  reconnect  which tells the remote plugin to
              attempt to reconnect to the server  upon  receipt  of  the  next
              audit  record.  If it is unsuccessful, the audit record could be
              lost. The default is to suspend logging.

       generic_error_action
              Likewise, this parameter tells the system what action to take if
              the remote end signals an error we don't recognize.  The default
              is to log it to syslog.

       generic_warning_action
              Likewise, this parameter tells the system what action to take if
              the  remote  end  signals  a  warning  we  don't recognize.  The
              default is to log it to syslog.

       enable_krb5
              If set to "yes", Kerberos 5 will be used for authentication  and
              encryption.   Default is "no".  Note that encryption can only be
              used with managed connections, not plain ASCII.

       krb5_principal
              If specified, This is the expected  principal  for  the  server.
              The  client  and  server  will  use  the  specified principal to
              negotiate the encryption.  The format for the krb5_principal  is
              like   somename/hostname,  see  the  auditd.conf  man  page  for
              details.    If   not   specified,   the   krb5_client_name   and
              remote_server values are used.

       krb5_client_name
              This  specifies  the name portion of the client's own principal.
              If unspecified, the default is "auditd".  The remainder  of  the
              principal will consist of the host's fully qualified domain name
              and    the    default     Kerberos     realm,     like     this:
              auditd/host14.example.com@EXAMPLE.COM    (assuming    you   gave
              "auditd" as the krb_client_name).   Note  that  the  client  and
              server must have the same principal name and realm.

       krb5_key_file
              Location  of the key for this client's principal.  Note that the
              key file must be owned by root and mode 0400.   The  default  is
              /etc/audisp/audisp-remote.key

NOTES

       Specifying  a  local  port  may  make it difficult to restart the audit
       subsystem due to the previous connection being in a TIME_WAIT state, if
       you're reconnecting to and from the same hosts and ports as before.

       The  network  failure  logic  works  as  follows:  The first attempt to
       deliver normally "just works".  If it  doesn't,  a  second  attempt  is
       immediately  made,  perhaps  after  reconnecting to the server.  If the
       second attempt also fails, audispd-remote  pauses  for  the  configured
       time and tries again.  It continues to pause and retry until either too
       many attempts have been made or the allowed time  expires.   Note  that
       these  times  govern  the  maximum  amount of time the remote server is
       allowed in order to reboot, if you want to maintain  logging  across  a
       reboot.

SEE ALSO

       audispd(8), audisp-remote(8), auditd.conf(5).

AUTHOR

       Steve Grubb