Some Audit Log Messages Are Not Received By the Collection Server

Troubleshooting Guide › Collecting Audit Records › Some Audit Log Messages Are Not Received By the Collection Server

Some Audit Log Messages Are Not Received By the Collection Server

Valid on UNIX

Symptom:

I configured the endpoints in my CA Access Control installation to route their local audit logs to a central log collection server, but the server does not receive all the audit logs. I configured selogrd to emit the audit records and selogrcd to collect the audit records.

Solution:

To troubleshoot selorgd, the emitter daemon for the CA Access Control log routing system, do the following:

Review the selogrd.cfg file. This file configures which audit messages CA Access Control routes to the central log collector.
Review the audit log for each endpoint. If an audit event is missing from the audit log, review the audit.cfg file. The audit.cfg file configures which audit events CA Access Control writes to the audit log. If the audit.cfg file prevents CA Access Control from writing an audit event to the audit log, the audit event cannot be routed.
Configure selogrd, the emitter daemon for the log routing system, to print debug messages then recreate the problem. Use the following command to configure selogrd to print debug messages:
```
selogrd -d
```

More information:

The Audit Log Route Configuration File selogrd.cfg

audit.cfg File—Filter Audit Records

Tell Technical Publications how we can improve this information