* capturing audit data with ausearch -i
@ 2013-12-10 22:17 Levy, Mark (ESS)
2013-12-11 2:23 ` Aaron Lewis
2013-12-11 12:58 ` Steve Grubb
0 siblings, 2 replies; 3+ messages in thread
From: Levy, Mark (ESS) @ 2013-12-10 22:17 UTC (permalink / raw)
To: linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 364 bytes --]
Hi,
Were trying to find a way to capture the linux audit data and then pass it thru to ausearch -I and then send the data to our SEIM product for ingestion.
Does the audispd allow the ausearch -I to be used as an arg?
What would be the best way to attempt this?
We would be collecting from hundreds of linux servers.
Thanks for your input.
Mark
[-- Attachment #1.2: Type: text/html, Size: 950 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: capturing audit data with ausearch -i
2013-12-10 22:17 capturing audit data with ausearch -i Levy, Mark (ESS)
@ 2013-12-11 2:23 ` Aaron Lewis
2013-12-11 12:58 ` Steve Grubb
1 sibling, 0 replies; 3+ messages in thread
From: Aaron Lewis @ 2013-12-11 2:23 UTC (permalink / raw)
To: Levy, Mark (ESS); +Cc: linux-audit@redhat.com
ausearch read through the file every time, it might not be
time-efficient, isn't it?
Anyway, I use a modified audit package that write syslog directly,
instead of audit.log
On Wed, Dec 11, 2013 at 6:17 AM, Levy, Mark (ESS) <Mark.Levy@ngc.com> wrote:
> Hi,
>
> Were trying to find a way to capture the linux audit data and then pass it
> thru to ausearch –I and then send the data to our SEIM product for
> ingestion.
> Does the audispd allow the ausearch –I to be used as an arg?
> What would be the best way to attempt this?
> We would be collecting from hundreds of linux servers.
>
> Thanks for your input.
>
>
> Mark
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: capturing audit data with ausearch -i
2013-12-10 22:17 capturing audit data with ausearch -i Levy, Mark (ESS)
2013-12-11 2:23 ` Aaron Lewis
@ 2013-12-11 12:58 ` Steve Grubb
1 sibling, 0 replies; 3+ messages in thread
From: Steve Grubb @ 2013-12-11 12:58 UTC (permalink / raw)
To: linux-audit
Hello,
On Tuesday, December 10, 2013 10:17:26 PM Levy, Mark wrote:
> Were trying to find a way to capture the linux audit data and then pass it
> thru to ausearch -I and then send the data to our SEIM product for
> ingestion. Does the audispd allow the ausearch -I to be used as an arg?
No. It has just one job, distribute events to all plugins as fast as possible
to prevent overflow in the queue from auditd.
> What would be the best way to attempt this?
Its really easy to write a audispd plugin to format data exactly how you want
it. Have you looked at the sample code?
https://fedorahosted.org/audit/browser/trunk/contrib/plugin/audisp-example.c
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-12-11 12:58 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-10 22:17 capturing audit data with ausearch -i Levy, Mark (ESS)
2013-12-11 2:23 ` Aaron Lewis
2013-12-11 12:58 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox