LOG_WARN or LOG_WARNING?

LOG_WARN or LOG_WARNING?

[leam hall]

[-- Attachment #1.1: Type: text/plain, Size: 177 bytes --]

For /etc/audisp/plugins.d/syslog.conf, is "LOG_WARN" an accpeted arg, or
does it need to be "LOG_WARNING"?

Thanks!

Leam

-- 
Mind on a Mission <http://leamhall.blogspot.com/>

[-- Attachment #1.2: Type: text/html, Size: 375 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: LOG_WARN or LOG_WARNING?

[Ryan Sawhill]

[-- Attachment #1.1: Type: text/plain, Size: 264 bytes --]

On Tue, Oct 4, 2016 at 10:10 AM, leam hall <leamhall@gmail.com> wrote:

> For /etc/audisp/plugins.d/syslog.conf, is "LOG_WARN" an accpeted arg, or
> does it need to be "LOG_WARNING"?
>

You must use real facility names as documented in syslog(3), so:
LOG_WARNING.

[-- Attachment #1.2: Type: text/html, Size: 630 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: LOG_WARN or LOG_WARNING?

[leam hall]

[-- Attachment #1.1: Type: text/plain, Size: 425 bytes --]

Ryan, thanks!

On Tue, Oct 4, 2016 at 10:29 AM, Ryan Sawhill <rsawhill@redhat.com> wrote:

> On Tue, Oct 4, 2016 at 10:10 AM, leam hall <leamhall@gmail.com> wrote:
>
>> For /etc/audisp/plugins.d/syslog.conf, is "LOG_WARN" an accpeted arg, or
>> does it need to be "LOG_WARNING"?
>>
>
> You must use real facility names as documented in syslog(3), so:
> LOG_WARNING.
>



-- 
Mind on a Mission <http://leamhall.blogspot.com/>

[-- Attachment #1.2: Type: text/html, Size: 1274 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: LOG_WARN or LOG_WARNING?

[Steve Grubb]

On Tuesday, October 4, 2016 10:10:31 AM EDT leam hall wrote:
> For /etc/audisp/plugins.d/syslog.conf, is "LOG_WARN" an accpeted arg, or
> does it need to be "LOG_WARNING"?

LOG_WARNING.

https://fedorahosted.org/audit/browser/trunk/audisp/audispd-builtins.c#L279

-Steve

Re: LOG_WARN or LOG_WARNING?

[leam hall]

[-- Attachment #1.1: Type: text/plain, Size: 670 bytes --]

Sort of a followup question. I'm surprised adding "audit.none" to the
"/var/log/messages" line of rsyslog.conf (RHEL 6) works. I didn't think
audit was a full "facility" in whatever rsyslog looks at. Am I more
confused than normal?

Thanks!

Leam


On Tue, Oct 4, 2016 at 10:36 AM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Tuesday, October 4, 2016 10:10:31 AM EDT leam hall wrote:
> > For /etc/audisp/plugins.d/syslog.conf, is "LOG_WARN" an accpeted arg, or
> > does it need to be "LOG_WARNING"?
>
> LOG_WARNING.
>
> https://fedorahosted.org/audit/browser/trunk/audisp/
> audispd-builtins.c#L279
>
> -Steve
>



-- 
Mind on a Mission <http://leamhall.blogspot.com/>

[-- Attachment #1.2: Type: text/html, Size: 1460 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: LOG_WARN or LOG_WARNING?

[Ryan Sawhill]

[-- Attachment #1.1: Type: text/plain, Size: 443 bytes --]

On Tue, Oct 4, 2016 at 10:58 AM, leam hall <leamhall@gmail.com> wrote:

> Sort of a followup question. I'm surprised adding "audit.none" to the
> "/var/log/messages" line of rsyslog.conf (RHEL 6) works. I didn't think
> audit was a full "facility" in whatever rsyslog looks at. Am I more
> confused than normal?
>

It's not. If you look at your main log you should see a message from
rsyslogd saying something like "unknown facility 'audit'".

[-- Attachment #1.2: Type: text/html, Size: 840 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: LOG_WARN or LOG_WARNING?

[leam hall]

[-- Attachment #1.1: Type: text/plain, Size: 903 bytes --]

Hey Ryan,

If I put "audit.none" in /etc/rsyslog.conf for the /var/log/messages line,
it prevents audisp from logging there even though audisp to syslog is
turned on.

Our end state is pretty simple, in theory. We want to have 1 copy of audit
events on the system for auditing and send a remote copy elsewhere.

On Tue, Oct 4, 2016 at 11:04 AM, Ryan Sawhill <rsawhill@redhat.com> wrote:

> On Tue, Oct 4, 2016 at 10:58 AM, leam hall <leamhall@gmail.com> wrote:
>
>> Sort of a followup question. I'm surprised adding "audit.none" to the
>> "/var/log/messages" line of rsyslog.conf (RHEL 6) works. I didn't think
>> audit was a full "facility" in whatever rsyslog looks at. Am I more
>> confused than normal?
>>
>
> It's not. If you look at your main log you should see a message from
> rsyslogd saying something like "unknown facility 'audit'".
>



-- 
Mind on a Mission <http://leamhall.blogspot.com/>

[-- Attachment #1.2: Type: text/html, Size: 1851 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: LOG_WARN or LOG_WARNING?

[Ryan Sawhill]

[-- Attachment #1.1: Type: text/plain, Size: 1421 bytes --]

On Tue, Oct 4, 2016 at 11:29 AM, leam hall <leamhall@gmail.com> wrote:

> If I put "audit.none" in /etc/rsyslog.conf for the /var/log/messages line,
> it prevents audisp from logging there even though audisp to syslog is
> turned on.
>

I find that hard to believe, since "audit" is not a facility name and
that's what rsyslog is expecting and the message I wrote IS what rsyslog
prints when you give an invalid facility name, but okay.



> Our end state is pretty simple, in theory. We want to have 1 copy of audit
> events on the system for auditing and send a remote copy elsewhere.
>

Hopefully Steve and friends won't mind that we're so off-topic here, but I
would approach that differently if I were you.

Assuming you're using the rsyslog.conf that comes with RHEL (which includes
/etc/rsyslog.d/*.conf before the main directives like the /var/log/messages
action line):

  echo -e 'if $programname == "audispd" then @remotehost\n& ~' >
/etc/rsyslog.d/audit.conf

Note that if you change the syslog plugin to use one of the local facility
names (and not just change the priority as we discussed earlier), then you
could have rsyslog filter on that instead of the programname -- benefit
being that it will get you closer to only matching on actual audit records.

All that said, if you really want to send audit records to a central host,
I hope you've at least considered using auditd's own native functionality.

[-- Attachment #1.2: Type: text/html, Size: 2144 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: LOG_WARN or LOG_WARNING?

[leam hall]

[-- Attachment #1.1: Type: text/plain, Size: 848 bytes --]

On Tue, Oct 4, 2016 at 11:51 AM, Ryan Sawhill <rsawhill@redhat.com> wrote:

> On Tue, Oct 4, 2016 at 11:29 AM, leam hall <leamhall@gmail.com> wrote:
>
>> If I put "audit.none" in /etc/rsyslog.conf for the /var/log/messages
>> line, it prevents audisp from logging there even though audisp to syslog is
>> turned on.
>>
>
> I find that hard to believe, since "audit" is not a facility name and
> that's what rsyslog is expecting and the message I wrote IS what rsyslog
> prints when you give an invalid facility name, but okay.
>

I found it odd as well, but it does seem to work.



> All that said, if you really want to send audit records to a central host,
> I hope you've at least considered using auditd's own native functionality.
>

Wasn't aware of it. Pointer to a doc?

Thanks!

Leam

-- 
Mind on a Mission <http://leamhall.blogspot.com/>

[-- Attachment #1.2: Type: text/html, Size: 2216 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]