DOKK / manpages / debian 10 / auditd / audispd.8.en
AUDISPD:(8) System Administration Utilities AUDISPD:(8)

audispd - an event multiplexor

audispd [-c <config_dir>].SHDESCRIPTION audispd is an audit event multiplexor. It has to be started by the audit daemon in order to get events. It takes audit events and distributes them to child programs that want to analyze events in realtime. When the audit daemon receives a SIGTERM or SIGHUP, it passes that signal to the dispatcher, too. The dispatcher in turn passes those signals to its child processes.

The child programs install a configuration file in a plugins directory, /etc/audisp/plugins.d. Filenames are not allowed to have more than one '.' in the name or it will be treated as a backup copy and skipped. Options are given one per line with an equal sign between the keyword and its value. The available options are as follows:

The options for this are yes or no.
The option is dictated by the plugin. In or out are the only choices. You cannot make a plugin operate in a way it wasn't designed just by changing this option.This option is to give a clue to the event dispatcher about which direction events flow. NOTE: inbound events are not supported yet.
This is the absolute path to the plugin executable. In the case of internal plugins, it would be the name of the plugin.
This tells the dispatcher how the plugin wants to be run. Choices are builtin and always. Builtin should always be given for plugins that are internal to the audit event dispatcher. These are af_unix and syslog. The option always should be given for most if not all plugins. The default setting is always.
This allows you to pass arguments to the child program. Generally plugins do not take arguments and have their own config file that instructs them how they should be configured. At the moment, there is a limit of 2 args.
The valid options for this are binary and string. Binary passes the data exactly as the audit event dispatcher gets it from the audit daemon. The string option tells the dispatcher to completely change the event into a string suitable for parsing with the audit parsing library. The default value is string.

/etc/audisp/audispd.conf /etc/audisp/plugins.d

audispd.conf(5), auditd(8).

Steve Grubb

Sept 2007 Red Hat