audisp-remote - plugin for remote logging

       Steve Grubb

Red Hat                                            August 2018                                  AUDISP-REMOTE(8)

audisp-remote  is  a  plugin  for the audit event dispatcher that performs remote logging to an aggregate
       logging server.

       /etc/audit/audisp-remote.conf /etc/audit/plugins.d/au-remote.conf /etc/audit/auditd.conf

       audisp-remote - plugin for remote logging

auditd.conf(8), auditd-plugins(5), audisp-remote.conf(5).

       SIGUSR1
              Causes  the  audisp-remote program to write the value of some of its internal flags to syslog. The
              suspend flag tells whether or not logging has been suspended. The remote_ended flag tells  if  the
              connection  was  broken  by  the  server  saying  it can't log events. The transport_ok flag tells
              whether or not the connection to the remote server is  healthy.  The  queue_size  tells  how  many
              records are enqueued to be sent to the remote server.

       SIGUSR2
              Causes the audisp-remote program to resume logging if it were suspended due to an error.

audisp-remote

       If you are aggregating multiple machines, you should edit auditd.conf to set the name_format to something
       meaningful and the log_format to enriched. This way you can tell where the event came from and  have  the
       user name and groups resolved locally before it is sent off of the machine.