From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Centralized Logging question #2 Date: Fri, 29 Apr 2016 15:35:19 -0400 Message-ID: <2294046.2RPemcXKLg@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday, April 28, 2016 07:55:13 PM Warron S French wrote: > If I centralize audit logging through rsyslog, and I have each of the remote > machines' /etc/rsyslog.conf to use the same generic audit.log file name > instead of customizing the audit logs with something like; > HOSTNAME-audit.log, because ausearch apparently only looks for a file > specifically of the format audit.log... People who use rsyslog as the centralizing tool are likely to be using something else like splunk or other tools to do audit reporting and review. > Will the log-data submitted from the various hosts be consolidated into a > single file? Through the native audit tools, yes. Through other tools...I don't know. There are a variety of ways central logging can be done. I'm surprised no one has chimed in to offer an alternate. > Will the ausearch command then be usable with the -if argument? Once rsyslog gets the audit event, it adds its own data to the record. That messes up the audit tool's parsers. -Steve