From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Filter for audit.log
Date: Tue, 22 Dec 2009 14:13:18 -0500
Message-ID: <200912221413.18205.sgrubb@redhat.com>
References: <87577f5748a297a896045e2ec24ac66e.squirrel@tools.arlut.utexas.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <87577f5748a297a896045e2ec24ac66e.squirrel@tools.arlut.utexas.edu>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday 21 December 2009 10:46:51 am corbin@arlut.utexas.edu wrote:
> Is there a way to get audit.log to filter messages from Splunk in RHEL 5
> server systems?

I really don't know what splunk is doing or why. Does it run with its own UID 
or does it run as root? If it does have its own uid, then that might be used 
for filtering. Aside from that, since its a commercial app, you might ask them 
if they've tested it on a linux system with nispom audit rules and what they 
would suggest.

-Steve