From: LC Bruzenak <lenny@magitekltd.com>
To: Loredan Stancu <loredan.stancu@myclar.ro>
Cc: linux-audit@redhat.com
Subject: Re: audisp-prelude problems
Date: Wed, 03 Dec 2008 11:17:46 -0600 [thread overview]
Message-ID: <1228324666.14768.131.camel@homeserver> (raw)
In-Reply-To: <49424.193.230.245.33.1228323199.squirrel@secure.myclar.ro>
On Wed, 2008-12-03 at 18:53 +0200, Loredan Stancu wrote:
> > On Wed, 2008-12-03 at 17:28 +0200, Loredan Stancu wrote:
> >
...
> Supposing the remote system is an SElinux machine (a machine which stores
> all the user activity send by audisp-remote plugins. There are more then
> one machine for which I want to store events) what should I do on this
> machine to keep separate file events for each machine
A couple of different ways to do this:
1: Leave the events in the original log but create new duplicates
- periodically parse using ausearch and filter the output on "node" to
different file (now)
- use the auparse library on logfiles - see audit-1.7.9/auparse/test/
for examples (custom)
- also possibly use the af_unix plugin as per setroubleshoot for event
access (custom)
- write a patch for a new audisp plugin (custom)
2: MY favorite: ask Steve how to make the aggregating side flexible in
this regard. We may need a BZ filed or a consensus about what is
important on this list. I also would like a separation based on time to
allow for an easier archive/restore capability...and maybe that built in
if possible!
:)
Separation based on node is also a potential "good thing".
Anyway, the point is if there was a official audit modification to
enable this, the data would not be duplicated as it would above.
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
next prev parent reply other threads:[~2008-12-03 17:19 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-03 16:53 audisp-prelude problems Loredan Stancu
2008-12-03 17:02 ` Steve Grubb
2008-12-03 17:17 ` LC Bruzenak [this message]
2008-12-03 17:34 ` Steve Grubb
-- strict thread matches above, loose matches on Subject: below --
2008-12-04 15:38 Loredan Stancu
2008-12-04 15:56 ` Steve Grubb
2008-12-04 14:57 Loredan Stancu
2008-12-04 15:33 ` Steve Grubb
2008-12-04 13:10 Loredan Stancu
2008-12-04 13:41 ` Steve Grubb
2008-12-03 17:58 Loredan Stancu
2008-12-03 20:22 ` Steve Grubb
2008-12-03 16:38 LC Bruzenak
2008-12-03 15:28 Loredan Stancu
2008-12-03 16:33 ` Steve Grubb
2008-12-03 10:23 Loredan Stancu
2008-12-03 13:46 ` Steve Grubb
2008-12-03 15:17 ` LC Bruzenak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1228324666.14768.131.camel@homeserver \
--to=lenny@magitekltd.com \
--cc=linux-audit@redhat.com \
--cc=loredan.stancu@myclar.ro \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox