* audisp resend question
@ 2008-12-04 17:21 LC Bruzenak
2008-12-04 17:42 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: LC Bruzenak @ 2008-12-04 17:21 UTC (permalink / raw)
To: Linux Audit
Steve or DJ,
Have you guys thought about how I can re-send submitter events from a
client to a master auditd after failure?
I'm thinking of the case where the aggregating/collector machine has
failed and the clients then shut down as configured.
Say the problem on the collector is fixed and it comes back up.
Then we bring up the client sender machine(s).
I haven't tested this but I do not think the missed events will get sent
right?
How can I try to resend the events to the collector? I apologize if
there is a way I've missed. I think it would be possible to write the
events to a separate file and resend those on restart. But even if there
is a manual/semi-manual way to do this it beats nothing in my case.
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: audisp resend question
2008-12-04 17:21 audisp resend question LC Bruzenak
@ 2008-12-04 17:42 ` Steve Grubb
2008-12-04 17:52 ` LC Bruzenak
0 siblings, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2008-12-04 17:42 UTC (permalink / raw)
To: linux-audit
On Thursday 04 December 2008 12:21:29 LC Bruzenak wrote:
> Say the problem on the collector is fixed and it comes back up.
> Then we bring up the client sender machine(s).
> I haven't tested this but I do not think the missed events will get sent
> right?
Correct.
> How can I try to resend the events to the collector?
All audisp plugins take their data from stdin. You can pipe the raw output of
ausearch into audisp-remote and it should do the right thing.
-Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: audisp resend question
2008-12-04 17:42 ` Steve Grubb
@ 2008-12-04 17:52 ` LC Bruzenak
2008-12-04 18:45 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: LC Bruzenak @ 2008-12-04 17:52 UTC (permalink / raw)
To: Linux Audit
On Thu, 2008-12-04 at 12:42 -0500, Steve Grubb wrote:
> On Thursday 04 December 2008 12:21:29 LC Bruzenak wrote:
...
>
> > How can I try to resend the events to the collector?
>
> All audisp plugins take their data from stdin. You can pipe the raw output of
> ausearch into audisp-remote and it should do the right thing.
OK, works for me...the last sent message on the collector is
identifiable, but do timestamps (with full precision) work as input to
the "-ts" switch?
I don't know how to remove duplicates (probably not be an issue anyway).
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: audisp resend question
2008-12-04 17:52 ` LC Bruzenak
@ 2008-12-04 18:45 ` Steve Grubb
0 siblings, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2008-12-04 18:45 UTC (permalink / raw)
To: linux-audit
On Thursday 04 December 2008 12:52:54 LC Bruzenak wrote:
> > All audisp plugins take their data from stdin. You can pipe the raw
> > output of ausearch into audisp-remote and it should do the right thing.
>
> OK, works for me...the last sent message on the collector is
> identifiable, but do timestamps (with full precision) work as input to
> the "-ts" switch?
Not at this point. Ausearch always shows the converted time unless you do a --
raw.
> I don't know how to remove duplicates (probably not be an issue anyway).
Aureport is about the only thing that cares. Also, a duplicate
boot/login/logout will also affect aulast.
-Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2008-12-04 18:45 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-12-04 17:21 audisp resend question LC Bruzenak
2008-12-04 17:42 ` Steve Grubb
2008-12-04 17:52 ` LC Bruzenak
2008-12-04 18:45 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox