Have the system set up to send audit logs through the audisp daemon to the rsyslog daemon to be forwarded to a central audit reduction server. This has been working. Now, for some reason, one of the servers is no longer sending. I've checked the configuration and can't find anything wrong. The /etc/audisp/plugins.d/syslog.conf has active set to yes and args set to "LOG_INFO LOG_LOCAL2." In the /etc/rsyslog.conf, I have:
Code:
$PreserveFQDN on
$template REDT,"<%PRI%>%TIMESTAMPT% %HOSTNAME% %syslogtag% %msg% id:23855911
$WorkDirectory /var/lib/rsyslog
$ActionQueueFileName fwdREDT
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
*.* @@1.2.3.4:514;REDT
I'm running a tcpdump watching "dst host 1.2.3.4 and dst port 514" and don't see anything going out unless I run: "logger -p info --server 1.2.3.4 test." I've checked the /var/lib/rsyslog directory and don't see anything queued. Any other ideas what to check to see why this server is not sending out any logs?