We have set up centralized logging of auditd messages for two machines:
- machine (www22.domain.com) is the source (centos8)
- machine (cls.domain.com) is the centralized log server (centos7)
This was done in the standard way using auditd+audisp plugin sending to auditd server listening on port 60, e.g. like described here:
https://luppeng.wordpress.com/2016/08/06/setting-up-centralized-logging-with-auditd/
But then when I observe the audit log on the centralized log server after restarting auditd client on the source, the only thing that appears are the lines
node=cls.domain.com type=DAEMON_CLOSE msg=audit(1632773977.760:3884): addr=::ffff:x.y.z.152 port=42652 res=success
node=cls.domain.com type=DAEMON_ACCEPT msg=audit(1632773988.330:3885): addr=::ffff:x.y.z.152 port=44282 res=success
where ::ffff:x.y.z.152 is obviously due to some packet(s) from IP address x.y.x.152 (address of www22.domain.com). So the TCP connection between client-server gets established and it seems further message logging should work.
But then the only new lines that ever appear in the log file are those that originate on cls.domain.com. There are never audit messages from www22.domain.com.
I've checked what happens if auditd www22.domain.com is set up to write also to local audit log file; then the local file gets lots of messages from audit. But still nothing is sent over the network.
How to make sure the auditd client sends the same messages over the network?
