From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Thoughts on adding sd-journal as a log_format to auditd
Date: Fri, 15 Mar 2013 12:54:28 -0400
Message-ID: <1416476.vdemb8vVx9@x2>
References: <1738104947.8168390.1363360970843.JavaMail.root@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1738104947.8168390.1363360970843.JavaMail.root@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: Miloslav Trmac <mitr@redhat.com>
List-Id: linux-audit@redhat.com

On Friday, March 15, 2013 11:22:50 AM Miloslav Trmac wrote:
> ----- Original Message -----
> 
> >  2) Write an audispd plugin that used the sd-journal API to store
> > 
> > audit events in the journal.
> > 
> >  3) Add sd-journal as a log format to auditd.
> 
> Both of these will run into the problem recently discussed on this mailing
> list: the available methods to parse an audit records into fields are a bit
> imprecise/"lossy" because not all records keep the name=value format as
> expected.

I don't think this is a problem to worry about. A plugin is handed the whole 
event line by line. To push events you don't need to parse. The real issue is 
later...running reports.

I also thought there was some patch presented on this list sometime in the 
last month to allow journald to listen for audit events directly.

-Steve