veilor-os/overlay/etc/audisp/audisp-remote.conf.disabled

# veilor-os audisp-remote configuration template (DISABLED by default)
#
# IMPORTANT: enabling remote audit shipping leaks security events off-device.
# Only enable if you have a trusted log collector — the remote endpoint
# will receive every privileged syscall, file-watch hit, auth event, and
# sudoers/SSH config change recorded by auditd.
#
# To activate:
#   1. Set veilor-remote.conf `active = yes` (in /etc/audit/plugins.d/).
#   2. Copy this file to /etc/audisp/audisp-remote.conf (drop `.disabled`).
#   3. Edit `remote_server` + TLS settings below.
#   4. systemctl restart auditd
#
# Loki / Wazuh / Splunk integration paths:
#
#   Loki   - point remote_server at a syslog-to-Loki shim (promtail or
#            vector with `syslog` source, format = "rfc5424"). Use TCP+TLS.
#   Wazuh  - run wazuh-agent locally; it pulls /var/log/audit/audit.log
#            directly. In that case leave remote_server empty and rely on
#            wazuh-agent's filebeat-style tailer instead of audisp-remote.
#   Splunk - use a Splunk HEC bridge (rsyslog-omhttp or vector http sink).
#            audisp-remote speaks plain syslog/TLS; it does not speak HEC
#            natively.

# ---- transport ----
remote_server      = logs.example.org
port               = 60
transport          = tcp           # plain | tcp | krb5
queue_file         = /var/spool/audit/remote.log
mode               = immediate     # immediate | forwarding
queue_depth        = 10240
format             = managed       # managed | ascii

# ---- TLS (transport = tcp + use_libwrap=no recommended) ----
enable_krb5        = no
krb5_principal     =
krb5_client_name   = auditd
krb5_key_file      = /etc/audit/audit.key

# ---- failure handling ----
network_failure_action  = stop     # ignore | syslog | exec | suspend | single | halt | stop
disk_low_action         = syslog
disk_full_action        = syslog
disk_error_action       = syslog
remote_ending_action    = reconnect
generic_error_action    = syslog
generic_warning_action  = syslog
overflow_action         = syslog

# ---- heartbeat ----
heartbeat_timeout       = 60
network_retry_time      = 1
max_tries_per_record    = 3
max_time_per_record     = 5

# ---- formatting ----
# `managed` wraps each event in a syslog-RFC5424 header with veilor-os
# hostname + audit facility (LOG_AUTHPRIV). Loki/Splunk prefer this.