From: Burn Alting <burn@swtf.dyndns.org>
To: linux-audit@redhat.com
Subject: Advice on enriching logs with user and group names before moving them to a central log repository
Date: Thu, 02 Aug 2012 20:54:14 +1000 [thread overview]
Message-ID: <1343904854.4074.76.camel@swtf> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 1412 bytes --]
Hi,
I have a scenario of a mixed collection of Linux systems, some that have
users authenticate via a central ldap, others have local (/etc/passwd)
authentication.
This means I cannot 100% depend that the user name say, fred, with uid
1000, has the same uid on every machine he has an account on. Thus
before I send my logs to
a central server, I want to enrich them with user and group names I
validate at the local machine. That is, I want to change an event's ids
from
.... uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=43
sgid=43 fsgid=43 ....
to
.... uid=1000(fred) gid=1000(prog) euid=1000(fred)
suid=1000(fred) fsuid=1000(fred) egid=43(utmp) sgid=43(utmp)
fsgid=43(utmp) ....
I BELIEVE my best approach is use the event multiplexor (audispd) to
convert raw logs via a child program, say based on the sample code,
audisp-example (i.e. using the auparse library)
and send the output of this audisp-example variant to syslog to get
the event to a central repository.
Is this the best approach?
Are there parameters I should consider for audisp.conf (e.g. q_depth =
99999)? Does such a configuration option in audisp.conf suggest I make
the buffer size set in audit.rules to something higher?
Is there any consideration to having auditd have a option to directly
generate user and group names in addition to uid and gids?
Thanks in advance
Burn
[-- Attachment #1.2: Type: text/html, Size: 1759 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next reply other threads:[~2012-08-02 10:54 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-02 10:54 Burn Alting [this message]
2012-08-02 13:54 ` Advice on enriching logs with user and group names before moving them to a central log repository John Dennis
2012-08-02 16:26 ` Guillaume Destuynder
2012-08-02 21:12 ` Miloslav Trmac
2012-08-02 21:19 ` John Dennis
2012-08-06 17:51 ` Steve Grubb
2012-08-10 9:51 ` Burn Alting
2012-08-10 16:57 ` Michael Mather
2012-08-18 13:17 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1343904854.4074.76.camel@swtf \
--to=burn@swtf.dyndns.org \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.