From: John Dennis <jdennis@redhat.com>
To: burn@swtf.dyndns.org
Cc: linux-audit@redhat.com
Subject: Re: Advice on enriching logs with user and group names before moving them to a central log repository
Date: Thu, 02 Aug 2012 09:54:46 -0400 [thread overview]
Message-ID: <501A86A6.1020004@redhat.com> (raw)
In-Reply-To: <1343904854.4074.76.camel@swtf>
On 08/02/2012 06:54 AM, Burn Alting wrote:
> Hi,
>
> I have a scenario of a mixed collection of Linux systems, some that have
> users authenticate via a central ldap, others have local (/etc/passwd)
> authentication.
> This means I cannot 100% depend that the user name say, fred, with uid
> 1000, has the same uid on every machine he has an account on. Thus
> before I send my logs to
> a central server, I want to enrich them with user and group names I
> validate at the local machine. That is, I want to change an event's ids from
>
> .... uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=43
> sgid=43 fsgid=43 ....
>
> to
>
> .... uid=1000(fred) gid=1000(prog) euid=1000(fred) suid=1000(fred)
> fsuid=1000(fred) egid=43(utmp) sgid=43(utmp) fsgid=43(utmp) ....
>
>
> I BELIEVE my best approach is use the event multiplexor (audispd) to
> convert raw logs via a child program, say based on the sample code,
> audisp-example (i.e. using the auparse library)
> and send the output of this audisp-example variant to syslog to get
> the event to a central repository.
>
> Is this the best approach?
>
> Are there parameters I should consider for audisp.conf (e.g. q_depth =
> 99999)? Does such a configuration option in audisp.conf suggest I make
> the buffer size set in audit.rules to something higher?
>
> Is there any consideration to having auditd have a option to directly
> generate user and group names in addition to uid and gids?
A while ago we were actively working on central log aggregation and ran
into exactly this problem. There are a number of items in an audit log
whose value can only be interpreted on the machine the event occurred on
and at the moment the event occurs (or within a short duration).
There were plans to author a audit plugin that would augment the data
items with their (interpreted) value. I'm not sure whatever happened to
that plugin. Steve, can you elaborate?
--
John Dennis <jdennis@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
next prev parent reply other threads:[~2012-08-02 13:54 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-02 10:54 Advice on enriching logs with user and group names before moving them to a central log repository Burn Alting
2012-08-02 13:54 ` John Dennis [this message]
2012-08-02 16:26 ` Guillaume Destuynder
2012-08-02 21:12 ` Miloslav Trmac
2012-08-02 21:19 ` John Dennis
2012-08-06 17:51 ` Steve Grubb
2012-08-10 9:51 ` Burn Alting
2012-08-10 16:57 ` Michael Mather
2012-08-18 13:17 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=501A86A6.1020004@redhat.com \
--to=jdennis@redhat.com \
--cc=burn@swtf.dyndns.org \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.