Provided by: auditd_2.8.5-2ubuntu6_amd64 bug

NAME

       audispd - an event multiplexor

SYNOPSIS

       audispd  [-c <config_dir>].SHDESCRIPTION  audispd is an audit event multiplexor. It has to
       be started by the audit daemon  in  order  to  get  events.  It  takes  audit  events  and
       distributes them to child programs that want to analyze events in realtime. When the audit
       daemon receives a SIGTERM or SIGHUP, it passes that signal to  the  dispatcher,  too.  The
       dispatcher in turn passes those signals to its child processes.

       The   child   programs   install   a   configuration   file   in   a   plugins  directory,
       /etc/audisp/plugins.d. Filenames are not allowed to have more than one '.' in the name  or
       it  will  be  treated as a backup copy and skipped. Options are given one per line with an
       equal sign between the keyword and its value. The available options are as follows:

       active The options for this are yes or no.

       direction
              The option is dictated by the plugin.  In or out are the only choices.  You  cannot
              make a plugin operate in a way it wasn't designed just by changing this option.This
              option is to give a clue to the event dispatcher about which direction events flow.
              NOTE: inbound events are not supported yet.

       path   This  is  the  absolute  path  to  the  plugin  executable. In the case of internal
              plugins, it would be the name of the plugin.

       type   This tells the dispatcher how the plugin wants to be run. Choices are  builtin  and
              always.   Builtin should always be given for plugins that are internal to the audit
              event dispatcher. These are af_unix and syslog. The option always should  be  given
              for most if not all plugins. The default setting is always.

       args   This  allows  you  to pass arguments to the child program. Generally plugins do not
              take arguments and have their own config file that instructs them how  they  should
              be configured. At the moment, there is a limit of 2 args.

       format The  valid  options for this are binary and string.  Binary passes the data exactly
              as the audit event dispatcher gets it from the  audit  daemon.  The  string  option
              tells  the  dispatcher  to  completely  change the event into a string suitable for
              parsing with the audit parsing library. The default value is string.

FILES

       /etc/audisp/audispd.conf /etc/audisp/plugins.d

SEE ALSO

       audispd.conf(5), auditd(8).

AUTHOR

       Steve Grubb