veilor-os/overlay/etc/audisp/audisp-remote.conf.disabled

# veilor-os audisp-remote configuration template (DISABLED by default)
#
# IMPORTANT: enabling remote audit shipping leaks security events off-device.
# Only enable if you have a trusted log collector — the remote endpoint
# will receive every privileged syscall, file-watch hit, auth event, and
# sudoers/SSH config change recorded by auditd.
#
# To activate:
#   1. Set veilor-remote.conf `active = yes` (in /etc/audit/plugins.d/).
#   2. Copy this file to /etc/audisp/audisp-remote.conf (drop `.disabled`).
#   3. Edit `remote_server` + TLS settings below.
#   4. systemctl restart auditd
#
# Loki / Wazuh / Splunk integration paths:
#
#   Loki   - point remote_server at a syslog-to-Loki shim (promtail or
#            vector with `syslog` source, format = "rfc5424"). Use TCP+TLS.
#   Wazuh  - run wazuh-agent locally; it pulls /var/log/audit/audit.log
#            directly. In that case leave remote_server empty and rely on
#            wazuh-agent's filebeat-style tailer instead of audisp-remote.
#   Splunk - use a Splunk HEC bridge (rsyslog-omhttp or vector http sink).
#            audisp-remote speaks plain syslog/TLS; it does not speak HEC
#            natively.

# ---- transport ----
remote_server      = logs.example.org
port               = 60
transport          = tcp           # plain | tcp | krb5
queue_file         = /var/spool/audit/remote.log
mode               = immediate     # immediate | forwarding
queue_depth        = 10240
format             = managed       # managed | ascii

# ---- TLS (transport = tcp + use_libwrap=no recommended) ----
enable_krb5        = no
krb5_principal     =
krb5_client_name   = auditd
krb5_key_file      = /etc/audit/audit.key

# ---- failure handling ----
network_failure_action  = stop     # ignore | syslog | exec | suspend | single | halt | stop
disk_low_action         = syslog
disk_full_action        = syslog
disk_error_action       = syslog
remote_ending_action    = reconnect
generic_error_action    = syslog
generic_warning_action  = syslog
overflow_action         = syslog

# ---- heartbeat ----
heartbeat_timeout       = 60
network_retry_time      = 1
max_tries_per_record    = 3
max_time_per_record     = 5

# ---- formatting ----
# `managed` wraps each event in a syslog-RFC5424 header with veilor-os
# hostname + audit facility (LOG_AUTHPRIV). Loki/Splunk prefer this.
sec: AppArmor profile skeletons + audit shipping draft + veilor-firstboot SELinux module (#3) Co-authored-by: veilor-org <admin@veilor.org> 2026-05-02 04:39:39 +01:00			`# veilor-os audisp-remote configuration template (DISABLED by default)`
			`#`
			`# IMPORTANT: enabling remote audit shipping leaks security events off-device.`
			`# Only enable if you have a trusted log collector — the remote endpoint`
			`# will receive every privileged syscall, file-watch hit, auth event, and`
			`# sudoers/SSH config change recorded by auditd.`
			`#`
			`# To activate:`
			# 1. Set veilor-remote.conf `active = yes` (in /etc/audit/plugins.d/).
			# 2. Copy this file to /etc/audisp/audisp-remote.conf (drop `.disabled`).
			# 3. Edit `remote_server` + TLS settings below.
			`# 4. systemctl restart auditd`
			`#`
			`# Loki / Wazuh / Splunk integration paths:`
			`#`
			`# Loki - point remote_server at a syslog-to-Loki shim (promtail or`
			# vector with `syslog` source, format = "rfc5424"). Use TCP+TLS.
			`# Wazuh - run wazuh-agent locally; it pulls /var/log/audit/audit.log`
			`# directly. In that case leave remote_server empty and rely on`
			`# wazuh-agent's filebeat-style tailer instead of audisp-remote.`
			`# Splunk - use a Splunk HEC bridge (rsyslog-omhttp or vector http sink).`
			`# audisp-remote speaks plain syslog/TLS; it does not speak HEC`
			`# natively.`

			`# ---- transport ----`
			`remote_server = logs.example.org`
			`port = 60`
			`transport = tcp # plain \| tcp \| krb5`
			`queue_file = /var/spool/audit/remote.log`
			`mode = immediate # immediate \| forwarding`
			`queue_depth = 10240`
			`format = managed # managed \| ascii`

			`# ---- TLS (transport = tcp + use_libwrap=no recommended) ----`
			`enable_krb5 = no`
			`krb5_principal =`
			`krb5_client_name = auditd`
			`krb5_key_file = /etc/audit/audit.key`

			`# ---- failure handling ----`
			`network_failure_action = stop # ignore \| syslog \| exec \| suspend \| single \| halt \| stop`
			`disk_low_action = syslog`
			`disk_full_action = syslog`
			`disk_error_action = syslog`
			`remote_ending_action = reconnect`
			`generic_error_action = syslog`
			`generic_warning_action = syslog`
			`overflow_action = syslog`

			`# ---- heartbeat ----`
			`heartbeat_timeout = 60`
			`network_retry_time = 1`
			`max_tries_per_record = 3`
			`max_time_per_record = 5`

			`# ---- formatting ----`
			# `managed` wraps each event in a syslog-RFC5424 header with veilor-os
			`# hostname + audit facility (LOG_AUTHPRIV). Loki/Splunk prefer this.`