From: John Dennis <jdennis@redhat.com>
To: Matthew Booth <mbooth@redhat.com>
Cc: linux-audit <linux-audit@redhat.com>
Subject: Re: Absolute path names in PATH records
Date: Mon, 02 Jul 2007 17:22:25 -0400 [thread overview]
Message-ID: <1183411345.8532.134.camel@finch.boston.redhat.com> (raw)
In-Reply-To: <1183410141.4534.28.camel@localhost.localdomain>
On Mon, 2007-07-02 at 22:02 +0100, Matthew Booth wrote:
> On Mon, 2007-07-02 at 16:43 -0400, John Dennis wrote:
> > The audit parsing library (auparse) can reassemble independent
> > records into a single event (but currently only if the records occur
> > sequentially, non-sequential record assembly is a future feature).
>
> I'm evaluating a third party product (RSA's enVision) for handling large
> volumes of audit data from large numbers of hosts. I'm delivering audit
> records to it from a custom auditd which does little other than wrap the
> records it receives as syslog and sending it in a UDP packet to the
> collector. This is for performance reasons as we're generating a lot of
> audit data. Post-processing with auparse would require either doing this
> inline, on-node, which I don't think would be feasible because of
> performance, or running it on the enVision appliance, which definitely
> isn't feasible as it runs Windows ;) enVision can plug things back
> together, but again it's limited in what it can do in-line for
> performance reasons. It would be easiest all-round if we got the
> information pre-digested.
A few quick points:
enVision can only reassemble records into event if you are transmitting
the record header information, are you? If so and enVision can properly
interpret the header and coalesce matching headers you're all set.
There is a lot of planned work surrounding aggregate auditing from
multiple hosts, perhaps not relevant to the current evaluation of
enVision, but be aware this technology area is in high churn.
For example the current audit system now allows for interested third
parties to monitor audit information, no need for custom audit daemons,
there is a well defined framework for monitoring.
--
John Dennis <jdennis@redhat.com>
next prev parent reply other threads:[~2007-07-02 21:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-02 19:44 Absolute path names in PATH records Matthew Booth
2007-07-02 20:31 ` Valdis.Kletnieks
2007-07-02 20:40 ` Matthew Booth
2007-07-02 20:43 ` John Dennis
2007-07-02 21:02 ` Matthew Booth
2007-07-02 21:22 ` John Dennis [this message]
2007-07-03 21:51 ` Steve Grubb
2007-07-03 21:44 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1183411345.8532.134.camel@finch.boston.redhat.com \
--to=jdennis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=mbooth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.