audispd(8) [debian man page]

AUDISPD:(8)						  System Administration Utilities					       AUDISPD:(8)

NAME

       audispd - an event multiplexor

SYNOPSIS

       audispd

DESCRIPTION

       audispd	is an audit event multiplexor. It has to be started by the audit daemon in order to get events. It takes audit events and distrib-
       utes them to child programs that want to analyze events in realtime. When the audit daemon recieves a SIGTERM or  SIGHUP,  it  passes  that
       signal to the dispatcher, too. The dispatcher in turn passes those signals to its child processes.

       The  child programs install a configuration file in a plugins directory, /etc/audisp/plugins.d. Filenames are not allowed to have more than
       one '.' in the name or it will be treated as a backup copy and skipped. Options are given one per line with an equal sign between the  key-
       word and its value. The available options are as follows:

       active The options for this are yes or no.

       direction
	      The  option is dictated by the plugin.  In or out are the only choices. You cannot make a plugin operate in a way it wasn't designed
	      just by changing this option.This option is to give a clue to the event dispatcher about which direction events flow. NOTE:  inbound
	      events are not supported yet.

       path   This is the absolute path to the plugin executable. In the case of internal plugins, it would be the name of the plugin.

       type   This  tells the dispatcher how the plugin wants to be run. Choices are builtin and always.  Builtin should always be given for plug-
	      ins that are internal to the audit event dispatcher. These are af_unix and syslog. The option always should be given for most if not
	      all plugins. The default setting is always.

       args   This  allows you to pass arguments to the child program. Generally plugins do not take arguments and have their own config file that
	      instructs them how they should be configured. At the moment, there is a limit of 2 args.

       format The valid options for this are binary and string.  Binary passes the data exactly as the audit event dispatcher  gets  it  from  the
	      audit  daemon.  The  string  option  tells the dispatcher to completely change the event into a string suitable for parsing with the
	      audit parsing library. The default value is string.

FILES

       /etc/audisp/audispd.conf /etc/audisp/plugins.d

SEE ALSO

       audispd.conf(5), auditd(8).

AUTHOR

       Steve Grubb

Red Hat 							     Sept 2007							       AUDISPD:(8)

AUDISPD.CONF:(5)					  System Administration Utilities					  AUDISPD.CONF:(5)

NAME

       audispd.conf - the audit event dispatcher configuration file

DESCRIPTION

       audispd.conf is the file that controls the configuration of the audit event dispatcher. The options that are available are as follows:

       q_depth
	      This is a numeric value that tells how big to make the internal queue of the audit event dispatcher. A bigger queue lets it handle a
	      flood of events better, but could hold events that are not processed when the daemon is terminated. If you get  messages	in  syslog
	      about events getting dropped, increase this value. The default value is 80.

       overflow_action
	      This  option  determines how the daemon should react to overflowing its internal queue. When this happens, it means that more events
	      are being received than it can get rid of. This error means that it is going to lose the current event its trying  to  dispatch.	It
	      has  the	following  choices:  ignore, syslog, suspend, single, and halt.  If set to ignore, the audisp daemon does nothing.  syslog
	      means that it will issue a warning to syslog.  suspend will cause the audisp daemon to stop processing events. The daemon will still
	      be alive. The single option will cause the audisp daemon to put the computer system in single user mode.	halt option will cause the
	      audisp daemon to shutdown the computer system.

       priority_boost
	      This is a non-negative number that tells the audit event dispatcher how much of a priority boost it should take. This  boost  is	in
	      addition to the boost provided from the audit daemon. The default is 4. No change is 0.

       max_restarts
	      This  is	a  non-negative  number  that  tells the audit event dispatcher how many times it can try to restart a crashed plugin. The
	      default is 10.

       name_format
	      This option controls how computer node names are inserted into the audit event stream. It has the following choices: none, hostname,
	      fqd,  numeric,  and  user.  None means that no computer name is inserted into the audit event.  hostname is the name returned by the
	      gethostname syscall. The fqd means that it takes the hostname and resolves it with dns for a fully qualified  domain  name  of  that
	      machine.	Numeric is similar to fqd except it resolves the IP address of the machine.  User is an admin defined string from the name
	      option. The default value is none.

       name   This is the admin defined string that identifies the machine if user is given as the name_format option.

SEE ALSO

       audispd(8)

Red Hat 							     Jan 2008							  AUDISPD.CONF:(5)