Hello ,

Thank you for your comment but i have tried the same way also but it seems the receiving server is not accepting the connection ...

I have no idea how to configure the Octopussy server configured for Rsyslog ... Any one have idea or configured the rsyslog for Octopussy then please help.

Below i am pasting the rsyslog server side configuration, and i have enabled the "active=yes" on client Auditd configuration ... kindly look into it once.


[root@octopussy ~]# cat /etc/rsyslog.conf
#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
[root@octopussy ~]# cat /etc/rsyslog.d/10-octopussy.conf
#########################################
#### GLOBAL DIRECTIVES FOR OCTOPUSSY ####
#########################################

$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0750
$Umask 0022
$WorkDirectory /var/lib/octopussy/local/rsyslog
$CreateDirs on

$MaxMessageSize 8k

$ActionQueueMaxDiskSpace 1g
$ActionQueueFileName rsyslog
$ActionQueueHighWaterMark 250000
$ActionQueueLowWaterMark 200000
$ActionQueueType LinkedList # [FixedArray/LinkedList/Direct/Disk]
$ActionQueueSaveOnShutdown on
$ActionQueueWorkerThreads 1 # 1 cpu

*.* |/var/spool/octopussy/octo_fifo


###############
#### RULES ####
###############

# Remove all messages from other server
:hostname, !isequal, "octopussy" ~

++++++++++++++++++++++++++++++++++++++++++


On Tue, Aug 7, 2012 at 12:58 PM, Vámos Balázs <vamos.balazs@zuriel.hu> wrote:
Hi,

Details:

Open /etc/audisp/plugins.d/syslog.conf
Set active = yes
restart auditd

With this configuration you do not need to use syslog-ng to read and
send content of audit.log. Just forward the syslog as you usually do.


Notice that the format of the syslog message will be a bit different:

Aug  7 09:00:54 znb06 audispd: node=znb06 type=CWD
msg=audit(1344322854.313:1056):  cwd="/"
vs.
Aug  7 09:00:54 znb06 your-tag: type=CWD
msg=audit(1344322854.313:1056):  cwd="/"


Regards,

Balazs Vamos
LOGalyze.com


On 08/07/2012 07:35 AM, Balazs Scheidler wrote:
>
> Hi,
>
> you probably need to tell auditd to log to syslog on the client hosts.
>
>
> ----- Original message -----
> > Hi Folks,
> >
> > Need your help !
> >
> > Want to configure a centralized Audit server (Currently the centralized
> > server is running Octopussy Web interface,  which receives logs from
> > remote hosts by Rsyslog ).
> >
> > The challenge and confusion here is .. all my linux clients are
> > configured with syslog-ng and the daemon is sending all the system logs
> > and kernel logs like messages,secure,cron logs etc ... with out any
> > trouble.
> >
> > The problem is the syslog-ng daemon is not able to send the auidtd logs
> > (/var/log/audit.log) to the Rsyslog server,
> >
> > Hence request your help to guide me how to setup the syslog-ng to
> forward
> > the audit.log to the remote Rsyslog server.
> >
> > It would be great if i can get client side and server side
> configuration
> > guidelines.
> >
> > --
> > Thanks in Advance
> > - Koresh
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq




--


Thanks & Regards,

- Koresh