From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Auditd 1.0.15 in RHEL4 U4
Date: Mon, 12 Feb 2007 21:29:48 -0500
Message-ID: <200702122129.49009.sgrubb@redhat.com>
References: <1171288460.4760.10.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1171288460.4760.10.camel@localhost.localdomain>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday 12 February 2007 08:54, Matthew Booth wrote:
> Will this work without any other 4.5 updates?

Yes.

> Also, I had a quick flick through the dispatcher example. I note that
> it's shipping binary logs. 

Hmm. I don't recall any binary logs in examples...are you sure?

> This is great from a storage POV, however it wasn't clear to me how this
> would tie in with the existing audit tools. If I simply dump the binary data
> to a file, can I easily: 
>
> * Turn it into text?
> * Process it with aureport/ausearch?

Need  the answer to the above before I can answer this. But then again...I 
would not release anything that did binary formats without having the whole 
thing tied together. IOW, I would release something that could read as well 
as write a binary format. And I don't recall doing any binary format work.

> Also, that you're aware of, has anybody already implemented the simplest
> possible centralised log server. ie:
>
> * Stream uncompressed, unencrypted, unauthenticated audit logs to server
> * Write 1 log file per client audit daemon
> * Rotate on signal, respecting message boundaries

I believe so. I think the SNARE guys wrote a perl script that uses the 
realtime interface and transfers data to their centralized logger.

> I'll be writing this if not.

Well, in about a week we'll be releasing a new & improved event dispatcher 
that will allow multiple programs to hang off it and then we'll start looking 
into a centralized collection system, too.

-Steve