Provided by: auditd_2.8.5-2ubuntu6_amd64 bug

NAME
       audispd - an event multiplexor


SYNOPSIS
       audispd  [-c <config_dir>].SHDESCRIPTION  audispd  is an audit event multiplexor. It has to be started by
       the audit daemon in order to get events. It takes audit events and distributes  them  to  child  programs
       that  want  to  analyze events in realtime. When the audit daemon receives a SIGTERM or SIGHUP, it passes
       that signal to the dispatcher, too. The dispatcher in turn passes those signals to its child processes.

       The child programs install a configuration file in a plugins directory, /etc/audisp/plugins.d.  Filenames
       are not allowed to have more than one '.' in the name or it will be treated as a backup copy and skipped.
       Options are given one per line with an equal sign between  the  keyword  and  its  value.  The  available
       options are as follows:

       active The options for this are yes or no.

       direction
              The  option  is  dictated by the plugin.  In or out are the only choices. You cannot make a plugin
              operate in a way it wasn't designed just by changing this option.This option is to give a clue  to
              the  event  dispatcher  about  which direction events flow. NOTE: inbound events are not supported
              yet.

       path   This is the absolute path to the plugin executable. In the case of internal plugins, it  would  be
              the name of the plugin.

       type   This tells the dispatcher how the plugin wants to be run. Choices are builtin and always.  Builtin
              should always be given for plugins that are internal to the  audit  event  dispatcher.  These  are
              af_unix  and  syslog.  The  option always should be given for most if not all plugins. The default
              setting is always.

       args   This allows you to pass arguments to the child program. Generally plugins do  not  take  arguments
              and  have  their own config file that instructs them how they should be configured. At the moment,
              there is a limit of 2 args.

       format The valid options for this are binary and string.  Binary passes the data  exactly  as  the  audit
              event  dispatcher  gets  it  from  the  audit  daemon.  The  string option tells the dispatcher to
              completely change the event into a string suitable for parsing with the audit parsing library. The
              default value is string.


FILES
       /etc/audisp/audispd.conf /etc/audisp/plugins.d


SEE ALSO
       audispd.conf(5), auditd(8).


AUTHOR
       Steve Grubb