On a Linux (debian) box, I have a NFS server wich seems to be overloaded by requests. In order to identify the problem, I'm trying to monitor with auditd/auditctl accessed files in the partition exported by the NFS server.
The problem is that our disk or nfs problem prevents auditd to write logs on /var/log/auditd/auditd.log.
What I really need is to send all logs somewhere else than on a local file.
Can I simply redirect all logs from 192.168.1.1 to 192.168.1.2 (the network is working correctly) ?
Best Answer
I'm assuming you're on Linux by how you phrased your question. Should that be the case, then yes there is, look into audisp-remote and audispd. These are standard components in the current audit tools on Linux.