* Filter for audit.log
@ 2009-12-21 15:46 corbin
2009-12-22 19:13 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: corbin @ 2009-12-21 15:46 UTC (permalink / raw)
To: linux-audit
Hello, we have installed Splunk in order to monitor the audit.log files of
several systems. However, our audit.log files are turning over quicker
than usual since Splunk seems to span our audit.log file with entries.
Is there a way to get audit.log to filter messages from Splunk in RHEL 5
server systems?
Thanks in advance!
Starr
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Filter for audit.log
2009-12-21 15:46 Filter for audit.log corbin
@ 2009-12-22 19:13 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2009-12-22 19:13 UTC (permalink / raw)
To: linux-audit
On Monday 21 December 2009 10:46:51 am corbin@arlut.utexas.edu wrote:
> Is there a way to get audit.log to filter messages from Splunk in RHEL 5
> server systems?
I really don't know what splunk is doing or why. Does it run with its own UID
or does it run as root? If it does have its own uid, then that might be used
for filtering. Aside from that, since its a commercial app, you might ask them
if they've tested it on a linux system with nispom audit rules and what they
would suggest.
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-12-22 19:13 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-12-21 15:46 Filter for audit.log corbin
2009-12-22 19:13 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.