From: Russell Coker <russell-YtRjSb8ePh30CCvOHzKKcA@public.gmane.org>
To: Joshua Brindle <jbrindle-5TQdPaFcblfQT0dZR+AlfA@public.gmane.org>
Cc: Karl MacMillan
<kmacmillan-dy+cvmKwH3TCDj715knRiQC/G2K4zDHf@public.gmane.org>,
James Antill <jantill-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Steve Grubb <sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
ewalsh-+05T5uksL2qpZYMLLGbcSA@public.gmane.org,
selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org
Subject: Re: missing avc message field names
Date: Thu, 1 Feb 2007 09:59:37 +1100 [thread overview]
Message-ID: <200702010959.41511.russell@coker.com.au> (raw)
In-Reply-To: <45C02948.9090607-5TQdPaFcblfQT0dZR+AlfA@public.gmane.org>
On Wednesday 31 January 2007 16:29, Joshua Brindle <jbrindle-5TQdPaFcblfQT0dZR+AlfA@public.gmane.org>
wrote:
> Even with a tail replacement there has to be thousands of internally
> written and maintained log monitoring and reporting apps that will
> break, this is a fundamental change in how logging works on linux, not
> something that can or should be changed on a whim (or otherwise).
Most such programs assume that log files keep the same name until a cron job
renames them. The current practice of auditd rotating it's log files has
probably broken the majority of such programs already.
Also Steve Grubb suggested having a configuration option for plain-text files
which will avoid the problems with binary files.
If we work with the assumption that indexed log files are required for sites
with significant audit requirements due to the volume of logs and the need to
get responses in a reasonable amount of time then we have two options. One
is a binary format, the other is to have index files along-side the text
files.
Having separate index files introduces complications for renaming and other
file management (complexity is bad for reliability), even without the issue
of the sys-admin wanting to rename their own log files.
So it seems that the option of a binary log file is required.
Maybe there should be an option to have auditd write a binary log file as well
as either a text log file or logging via syslog? That way the admin could
have the index benefits of a binary log as well as having text files. If
there were two log files then the second copy wouldn't need to be written
synchronously so the IO load would not double.
--
russell-YtRjSb8ePh30CCvOHzKKcA@public.gmane.org
http://etbe.blogspot.com/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo-+05T5uksL2qpZYMLLGbcSA@public.gmane.org with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-01-31 22:59 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20070129185542.32977.qmail@web51502.mail.yahoo.com>
2007-01-29 19:22 ` missing avc message field names Eamon Walsh
[not found] ` <45BE4971.6090601-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2007-01-29 19:43 ` Karl MacMillan
2007-01-29 20:07 ` Eamon Walsh
2007-01-29 20:56 ` Steve Grubb
2007-01-29 21:16 ` Karl MacMillan
2007-01-29 22:49 ` Steve Grubb
2007-01-29 23:48 ` Eamon Walsh
[not found] ` <45BE87E0.5090109-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2007-01-30 12:25 ` Russell Coker
[not found] ` <200701291749.21897.sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2007-01-30 14:49 ` Karl MacMillan
2007-01-30 17:06 ` Joshua Brindle
2007-01-30 17:28 ` Valdis.Kletnieks
2007-01-30 18:45 ` Casey Schaufler
2007-01-30 17:42 ` Steve Grubb
2007-01-30 22:53 ` James Antill
[not found] ` <1170197588.3373.28.camel-pBdgC7Q4sO52KDkfy0k2sw@public.gmane.org>
2007-01-31 0:50 ` Karl MacMillan
2007-01-31 5:29 ` Joshua Brindle
[not found] ` <45C02948.9090607-5TQdPaFcblfQT0dZR+AlfA@public.gmane.org>
2007-01-31 22:59 ` Russell Coker [this message]
2007-02-01 11:40 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200702010959.41511.russell@coker.com.au \
--to=russell-ytrjsb8eph30ccvohzkkca@public.gmane.org \
--cc=ewalsh-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \
--cc=jantill-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=jbrindle-5TQdPaFcblfQT0dZR+AlfA@public.gmane.org \
--cc=kmacmillan-dy+cvmKwH3TCDj715knRiQC/G2K4zDHf@public.gmane.org \
--cc=linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \
--cc=sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox