Re: Auditd 1.0.15 in RHEL4 U4

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Auditd 1.0.15 in RHEL4 U4
Date: Mon, 12 Feb 2007 21:29:48 -0500	[thread overview]
Message-ID: <200702122129.49009.sgrubb@redhat.com> (raw)
In-Reply-To: <1171288460.4760.10.camel@localhost.localdomain>

On Monday 12 February 2007 08:54, Matthew Booth wrote:
> Will this work without any other 4.5 updates?

Yes.

> Also, I had a quick flick through the dispatcher example. I note that
> it's shipping binary logs. 

Hmm. I don't recall any binary logs in examples...are you sure?

> This is great from a storage POV, however it wasn't clear to me how this
> would tie in with the existing audit tools. If I simply dump the binary data
> to a file, can I easily: 
>
> * Turn it into text?
> * Process it with aureport/ausearch?

Need  the answer to the above before I can answer this. But then again...I 
would not release anything that did binary formats without having the whole 
thing tied together. IOW, I would release something that could read as well 
as write a binary format. And I don't recall doing any binary format work.

> Also, that you're aware of, has anybody already implemented the simplest
> possible centralised log server. ie:
>
> * Stream uncompressed, unencrypted, unauthenticated audit logs to server
> * Write 1 log file per client audit daemon
> * Rotate on signal, respecting message boundaries

I believe so. I think the SNARE guys wrote a perl script that uses the 
realtime interface and transfers data to their centralized logger.

> I'll be writing this if not.

Well, in about a week we'll be releasing a new & improved event dispatcher 
that will allow multiple programs to hang off it and then we'll start looking 
into a centralized collection system, too.

-Steve

next prev parent reply	other threads:[~2007-02-13  2:29 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-02-12 13:54 Auditd 1.0.15 in RHEL4 U4 Matthew Booth
2007-02-13  2:29 ` Steve Grubb [this message]
2007-02-14 14:45   ` Matthew Booth
2007-02-14 15:55     ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200702122129.49009.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox