CentOS 7 sending audit logs through rsyslogd
 

Have the system set up to send audit logs through the audisp daemon to the rsyslog daemon to be forwarded to a central audit reduction server. This has been working. Now, for some reason, one of the servers is no longer sending. I've checked the configuration and can't find anything wrong. The /etc/audisp/plugins.d/syslog.conf has active set to yes and args set to "LOG_INFO LOG_LOCAL2." In the /etc/rsyslog.conf, I have:
I'm running a tcpdump watching "dst host 1.2.3.4 and dst port 514" and don't see anything going out unless I run: "logger -p info --server 1.2.3.4 test." I've checked the /var/lib/rsyslog directory and don't see anything queued. Any other ideas what to check to see why this server is not sending out any logs?

Maybe it is selinux? Have you checked your local audit logs to see if selinux is preventing rsyslog from receiving the entries?

Yes. Not selinux. It was working fine until someone put some entries into salt and pushed it that way. Ever since it has not worked. I've been checking every file, and can't find any problems. But, have been running tcpdump on the outgoing port and never see anything go unless I specifically send it with logger. I'm going to re-trace the setup steps on Monday and see if I can find any error. :)

Finally got it working, but have no idea how? I commented out the forwarding block, then restarted the rsyslog daemon. Everything started flowing to the /var/log files. I then started to uncomment each line of the forwarding block, then restarted rsyslogd. After each restart, the data was still flowing to the /var/log files. Once I finished uncommenting the forward block, /var/log files were still getting updated. I then ran tcpdump and saw the outgoing data to the central log server. Have no idea what could have been the problem in the first place nor why commenting out some code and then just removing the comments fixed it?