From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: "MAUPERTUIS, PHILIPPE" <philippe.maupertuis@equensworldline.com>
Subject: Re: ausearch on the fly
Date: Fri, 20 Dec 2019 14:23:34 -0500 [thread overview]
Message-ID: <1765069.Uqzcf1Iu7r@x2> (raw)
In-Reply-To: <5F4EE10832231F4F921A255C1D9542982304BF@DEERLM99EX7MSX.ww931.my-it-solutions.net>
On Friday, December 20, 2019 8:33:11 AM EST MAUPERTUIS, PHILIPPE wrote:
> We are centralizing the audit logs with rsyslog.
> The SIEM behind the central log server is unable to process the raw logs.
> We would like to push the ausearch result in CSV format in real time or
> near real time. Is there a way to have ausearch working from a pipe and
> and waiting when no logs are received
I think that I've seen others who setup a cron job and use the checkpointing
feature so that they do not miss anything. You can pipe its output into
logger. You probably also want to cut the first line which has the column
headers.
ausearch --start today --checkpoint /root/last-ausearch .chpt --format csv | tail -n +2 | logger
Also, the latest syslog plugin can now do interpretation. I think its in
alpha-9 which dates back to Nov 04, 2019.
It really shouldn't be hard to copy and paste the code from ausearch into the
syslog plugin to log directly in that format. I wonder if anyone else would
find that useful?
-Steve
next prev parent reply other threads:[~2019-12-20 19:23 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-20 13:33 ausearch on the fly MAUPERTUIS, PHILIPPE
2019-12-20 19:23 ` Steve Grubb [this message]
2019-12-20 19:26 ` MAUPERTUIS, PHILIPPE
2019-12-24 1:15 ` warron.french
2020-02-07 8:13 ` MAUPERTUIS, PHILIPPE
2020-02-07 11:49 ` Burn Alting
2020-02-07 12:44 ` MAUPERTUIS, PHILIPPE
2020-02-08 0:39 ` Burn Alting
2020-02-10 13:08 ` MAUPERTUIS, PHILIPPE
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1765069.Uqzcf1Iu7r@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=philippe.maupertuis@equensworldline.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox