# veilor-os audit remote shipping (DISABLED by default)
#
# IMPORTANT: enabling remote audit shipping leaks security events off-device.
# Only enable if you have a trusted log collector (Loki / Wazuh / Splunk).
# The remote endpoint will see every privileged syscall, file watch hit,
# auth event, and sudoers change. Treat the collector with the same trust
# level as the host root account.
#
# Enable:
#   1. Edit `active = yes` below.
#   2. Configure /etc/audisp/audisp-remote.conf (see audisp-remote.conf.disabled).
#   3. systemctl restart auditd.
#   4. Verify with: auditctl -s | grep enabled
#
# Plugin pipes audit events out of auditd via a UNIX socket; audisp-remote
# reads from that socket and forwards to the configured remote_server.

active = no
direction = out
path = builtin_af_unix
type = builtin
args = /var/run/audit_events
format = string