From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Levy, Mark (ESS)" Subject: capturing audit data with ausearch -i Date: Tue, 10 Dec 2013 22:17:26 +0000 Message-ID: <91A75C8A95C47545850F344255A779E305847311@XMBC3082.northgrum.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1389622814490165929==" Return-path: Received: from mx1.redhat.com (ext-mx15.extmail.prod.ext.phx2.redhat.com [10.5.110.20]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id rBAMHXMT028874 for ; Tue, 10 Dec 2013 17:17:33 -0500 Received: from northgrum.com (xspc0103.northgrum.com [157.127.149.150]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id rBAMHWB3006048 for ; Tue, 10 Dec 2013 17:17:32 -0500 Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============1389622814490165929== Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_91A75C8A95C47545850F344255A779E305847311XMBC3082northgr_" --_000_91A75C8A95C47545850F344255A779E305847311XMBC3082northgr_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi, Were trying to find a way to capture the linux audit data and then pass it = thru to ausearch -I and then send the data to our SEIM product for ingesti= on. Does the audispd allow the ausearch -I to be used as an arg? What would be the best way to attempt this? We would be collecting from hundreds of linux servers. Thanks for your input. Mark --_000_91A75C8A95C47545850F344255A779E305847311XMBC3082northgr_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
Hi,
 
Were trying to find a way to capture the linux audit data and then pas= s it thru to ausearch –I  and then send the data to our SEIM pro= duct for ingestion.
Does the audispd allow  the ausearch –I to be used as an ar= g?
What would be the best way to attempt this?
We would be collecting from hundreds of linux servers.
 
Thanks for your input.
 
 
Mark
 
 --_000_91A75C8A95C47545850F344255A779E305847311XMBC3082northgr_-- --===============1389622814490165929== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1389622814490165929==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Aaron Lewis Subject: Re: capturing audit data with ausearch -i Date: Wed, 11 Dec 2013 10:23:37 +0800 Message-ID: References: <91A75C8A95C47545850F344255A779E305847311@XMBC3082.northgrum.com> Mime-Version: 1.0 Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable Return-path: Received: from mx1.redhat.com (ext-mx15.extmail.prod.ext.phx2.redhat.com [10.5.110.20]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id rBB2Nc68019632 for ; Tue, 10 Dec 2013 21:23:38 -0500 Received: from mail-ob0-f170.google.com (mail-ob0-f170.google.com [209.85.214.170]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id rBB2NbD6000804 for ; Tue, 10 Dec 2013 21:23:37 -0500 Received: by mail-ob0-f170.google.com with SMTP id wp18so6354907obc.1 for ; Tue, 10 Dec 2013 18:23:37 -0800 (PST) In-Reply-To: <91A75C8A95C47545850F344255A779E305847311@XMBC3082.northgrum.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Levy, Mark (ESS)" Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com ausearch read through the file every time, it might not be time-efficient, isn't it? Anyway, I use a modified audit package that write syslog directly, instead of audit.log On Wed, Dec 11, 2013 at 6:17 AM, Levy, Mark (ESS) wrote: > Hi, > > Were trying to find a way to capture the linux audit data and then pass it > thru to ausearch =96I and then send the data to our SEIM product for > ingestion. > Does the audispd allow the ausearch =96I to be used as an arg? > What would be the best way to attempt this? > We would be collecting from hundreds of linux servers. > > Thanks for your input. > > > Mark > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- = Best Regards, Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com ) Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: capturing audit data with ausearch -i Date: Wed, 11 Dec 2013 07:58:17 -0500 Message-ID: <1866710.OvlRlzF6lS@x2> References: <91A75C8A95C47545850F344255A779E305847311@XMBC3082.northgrum.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from x2.localnet (vpn-58-57.rdu2.redhat.com [10.10.58.57]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id rBBCwK86020961 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 11 Dec 2013 07:58:21 -0500 In-Reply-To: <91A75C8A95C47545850F344255A779E305847311@XMBC3082.northgrum.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Hello, On Tuesday, December 10, 2013 10:17:26 PM Levy, Mark wrote: > Were trying to find a way to capture the linux audit data and then pass it > thru to ausearch -I and then send the data to our SEIM product for > ingestion. Does the audispd allow the ausearch -I to be used as an arg? No. It has just one job, distribute events to all plugins as fast as possible to prevent overflow in the queue from auditd. > What would be the best way to attempt this? Its really easy to write a audispd plugin to format data exactly how you want it. Have you looked at the sample code? https://fedorahosted.org/audit/browser/trunk/contrib/plugin/audisp-example.c -Steve