Auditd not sending to remote central server

Question

I'm setting up a central server using rsyslog and auditd on CentOS 8. I was following this guide on how to send remote audit logs to my central server.

Note: instead of going to /etc/audisp/, these files can be found on /etc/audit/ instead.

So I had these Following configurations on both servers

Client:

/etc/audit/auditd.conf

log_format = ENRICHED
name_format = HOSTNAME

/etc/audit/plugins.d/au-remote.conf

active = yes

/etc/audit/audisp-remote.conf

remote_server = <remote server IP>
port = 60

Central server:

/etc/audit/auditd

tcp_listen_port = 60

Firewall:

60/tcp

I have restarted both auditd services on both servers but I got this errors: error messages

Anything wrong? Or does making audit immutable affect this?

score 0 · Answer 1 · answered Jul 28 '20 at 07:02

Ok the guide works. I reread the audit manual again to check about immutable affecting the configuration. Seems like it does! I rebooted the server, since I set it to immutable and now it works. I though immutable only applies to the rules and they are separate from the configuration.

Auditd not sending to remote central server

1 Answers1