0
I'd like to track down processes that tries to connect to a certain port (on remote host).
So, I discovered that auditd is very powerful for these kind of tasks. The following command instruct auditd to log every connect syscall:
auditctl -a always,exit -F arch=b64 -S connect
auditctl -a always,exit -F arch=b32 -S connect
The log is then stored in /var/log/audit/. But the content is pretty complex. There's ausearch that can be used to filter the log but maybe someone of you already know how to solve this.
P.S I don't want to use netstat because I want to see even the failed connections etc..
Thanks in advance
user2543740
Posted 2016-12-02T18:26:20.483
Reputation: 1
What is a failed connection? If you are thinking about port 80/443, then there is no such thing. If instead you are thinking of ssh/ftp/telnet connections, you do not need auditd, all the info you will ever be able to obtain are in /var/log/auth.log. – MariusMatutiae – 2016-12-03T09:27:41.283
With failed connection I mean when a program try to establish a TCP connection and get an RST flag in the TCP response or just no response... I want to track down attempt to establish connections (from local to somewhere else) on certain ports – user2543740 – 2016-12-03T14:55:00.830
1In your shoes, I would use iptables´ LOG queue. – MariusMatutiae – 2016-12-03T21:21:50.107
thanks, seems a nice idea, but how do I specify to log the process id or similar? I looked up but seems no one do that – user2543740 – 2016-12-04T01:36:15.030