All of lore.kernel.org
 help / color / mirror / Atom feed
From: dump@tzib.net
To: linux-audit@redhat.com
Subject: Consolidate Audit's msgs
Date: Tue, 10 Jan 2012 18:05:19 -0800	[thread overview]
Message-ID: <4F0CEE5F.3080509@tzib.net> (raw)

Hi,

I was wondering if there had already been an effort or solution to
consolidate msgs from auditd into a single line.
I'm talking about buffering the messages until EOE (or timing out/empty
buffer if EOE doesn't come on errors), and concatenating messages with
the same ID into a single message. Potentially also transforming the
message syntax while at it.

I'm asking because some loggers will only accept specific message formats.

I looked at the plugins, but, from what I gather, the kernel sends the
messages as raw strings and I'm not sure of the performance/memory
impact when auditd cranks out a lot of messages.

An alternative could be to send all the msgs as text to a remote auditd
host using audispd-remote, and processing the log file on that host.
It means even more messages to process however and I'm not sure the text
file interface will be fast enough/might have too much disk activity and
break often, etc. if auditd again, cranks out a lot of messages from
many hosts (like several thousand per second).

Any insight?

             reply	other threads:[~2012-01-11  2:05 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-01-11  2:05 dump [this message]
2012-01-11 19:03 ` Consolidate Audit's msgs Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4F0CEE5F.3080509@tzib.net \
    --to=dump@tzib.net \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.