From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: Re: audisp-prelude problems
Date: Wed, 03 Dec 2008 11:17:46 -0600
Message-ID: <1228324666.14768.131.camel@homeserver>
References: <49424.193.230.245.33.1228323199.squirrel@secure.myclar.ro>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id mB3HJ5wm002612
	for <linux-audit@redhat.com>; Wed, 3 Dec 2008 12:19:05 -0500
Received: from mail.magitekltd.com (rrcs-24-242-137-197.sw.biz.rr.com
	[24.242.137.197])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id mB3HHlOV011349
	for <linux-audit@redhat.com>; Wed, 3 Dec 2008 12:17:47 -0500
In-Reply-To: <49424.193.230.245.33.1228323199.squirrel@secure.myclar.ro>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Loredan Stancu <loredan.stancu@myclar.ro>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wed, 2008-12-03 at 18:53 +0200, Loredan Stancu wrote:
> > On Wed, 2008-12-03 at 17:28 +0200, Loredan Stancu wrote:
> >
...
> Supposing the remote system is an SElinux machine (a machine which stores
> all the user activity send by audisp-remote plugins. There are more then
> one machine for which I want to store events) what should I do on this
> machine to keep separate file events for each machine

A couple of different ways to do this:

1: Leave the events in the original log but create new duplicates
- periodically parse using ausearch and filter the output on "node" to
different file (now)
- use the auparse library on logfiles - see audit-1.7.9/auparse/test/
for examples (custom)
- also possibly use the af_unix plugin as per setroubleshoot for event
access (custom)
- write a patch for a new audisp plugin (custom)

2: MY favorite: ask Steve how to make the aggregating side flexible in
this regard. We may need a BZ filed or a consensus about what is
important on this list. I also would like a separation based on time to
allow for an easier archive/restore capability...and maybe that built in
if possible! 
:)
Separation based on node is also a potential "good thing". 
Anyway, the point is if there was a official audit modification to
enable this, the data would not be duplicated as it would above.

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com