From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: Re: audisp-remote and audisp-prelude question
Date: Tue, 24 Mar 2009 13:01:39 -0500
Message-ID: <1237917699.9989.9.camel@homeserver>
References: <200902271033.21486.sgrubb@redhat.com>
	<200902271156.55861.sgrubb@redhat.com>
	<1237912188.9480.258.camel@homeserver>
	<200903241306.07952.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200903241306.07952.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tue, 2009-03-24 at 13:06 -0400, Steve Grubb wrote: 
> On Tuesday 24 March 2009 12:29:48 LC Bruzenak wrote:
> > On the prewikka screen I only see the second event.
> 
> prelude is its own protocol and picks out certain data from its config files and 
> puts in its packets. The intended use is each machine sends its prelude alerts 

not MY intended use...
:) 

> to a common prelude manager. Each audit event is sent to its aggregator. The 
> two systems diverge at audispd.
> 
> kernel->auditd->audispd-+->audisp-prelude->prelude-manager
>                                                +->audisp-remote->auditd
> 
> -Steve

Steve; thanks.

I may not follow. Does the above preclude what I'm asking?
Asked another way, what stops the aggregated audit events from creating
a prelude event? 

Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com