Using RHEL6, I currently have audispd setup to send logs to a remote server. The remote server successfully receives the messages, and writes them to the remote audit log. My problem is, I can't seem to get the forwarded messages(local ones work) to be processed by audispd and to be written to rsyslog.
This doesn't work. box1 auditd ===> box1 audispd ===> box2 auditd XXX> box2 audispd XXX> box2 rsyslog
This does. box2 auditd ===> box2 audispd ===> box2 rsyslog
I know generally how to configure audispd to send local logs to rsyslog, but the forwarded logs are not going to rsyslog. The X's above show where the traffic is not reaching its destination.
I'm not looking to use imfile or other workarounds unless it is not possible to send forwarded messages through audispd on box2. I know I can send to rsyslog on box1, but it is my intention not to.
