Re: Auditd 1.0.15 in RHEL4 U4

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Auditd 1.0.15 in RHEL4 U4
Date: Mon, 12 Feb 2007 21:29:48 -0500	[thread overview]
Message-ID: <200702122129.49009.sgrubb@redhat.com> (raw)
In-Reply-To: <1171288460.4760.10.camel@localhost.localdomain>

On Monday 12 February 2007 08:54, Matthew Booth wrote:
> Will this work without any other 4.5 updates?

Yes.

> Also, I had a quick flick through the dispatcher example. I note that
> it's shipping binary logs. 

Hmm. I don't recall any binary logs in examples...are you sure?

> This is great from a storage POV, however it wasn't clear to me how this
> would tie in with the existing audit tools. If I simply dump the binary data
> to a file, can I easily: 
>
> * Turn it into text?
> * Process it with aureport/ausearch?

Need  the answer to the above before I can answer this. But then again...I 
would not release anything that did binary formats without having the whole 
thing tied together. IOW, I would release something that could read as well 
as write a binary format. And I don't recall doing any binary format work.

> Also, that you're aware of, has anybody already implemented the simplest
> possible centralised log server. ie:
>
> * Stream uncompressed, unencrypted, unauthenticated audit logs to server
> * Write 1 log file per client audit daemon
> * Rotate on signal, respecting message boundaries

I believe so. I think the SNARE guys wrote a perl script that uses the 
realtime interface and transfers data to their centralized logger.

> I'll be writing this if not.

Well, in about a week we'll be releasing a new & improved event dispatcher 
that will allow multiple programs to hang off it and then we'll start looking 
into a centralized collection system, too.

-Steve

next prev parent reply	other threads:[~2007-02-13  2:29 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-02-12 13:54 Auditd 1.0.15 in RHEL4 U4 Matthew Booth
2007-02-13  2:29 ` Steve Grubb [this message]
2007-02-14 14:45   ` Matthew Booth
2007-02-14 15:55     ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200702122129.49009.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.