From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: capturing audit data with ausearch -i
Date: Wed, 11 Dec 2013 07:58:17 -0500
Message-ID: <1866710.OvlRlzF6lS@x2>
References: <91A75C8A95C47545850F344255A779E305847311@XMBC3082.northgrum.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from x2.localnet (vpn-58-57.rdu2.redhat.com [10.10.58.57])
	by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id rBBCwK86020961
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <linux-audit@redhat.com>; Wed, 11 Dec 2013 07:58:21 -0500
In-Reply-To: <91A75C8A95C47545850F344255A779E305847311@XMBC3082.northgrum.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hello,

On Tuesday, December 10, 2013 10:17:26 PM Levy, Mark wrote:
> Were trying to find a way to capture the linux audit data and then pass it
> thru to ausearch -I  and then send the data to our SEIM product for
> ingestion. Does the audispd allow  the ausearch -I to be used as an arg?

No. It has just one job, distribute events to all plugins as fast as possible 
to prevent overflow in the queue from auditd.


> What would be the best way to attempt this?

Its really easy to write a audispd plugin to format data exactly how you want 
it. Have you looked at the sample code?

https://fedorahosted.org/audit/browser/trunk/contrib/plugin/audisp-example.c

-Steve