From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Central Audit Server with Prelude and Prewikka - RHEL5 Date: Fri, 13 Feb 2009 15:27:31 -0500 Message-ID: <200902131527.31766.sgrubb@redhat.com> References: <499455ED.3060208@groupw.com> <499460FF.3050400@groupw.com> <4995D3EE.3020005@groupw.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: Received: from vpn-12-197.rdu.redhat.com (vpn-12-197.rdu.redhat.com [10.11.12.197]) by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id n1DKRZ6p005649 for ; Fri, 13 Feb 2009 15:27:36 -0500 In-Reply-To: <4995D3EE.3020005@groupw.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Friday 13 February 2009 03:11:26 pm Dan Gruhn wrote: > I'm using Prelude and Prewikka to view events and I see the master as a > sensor/source and its events, but I don't see the node. =C2=A0I thought= that > once the audit/syslog information was making it to the central files th= e > rest would also work but that doesn't seem to be the case. Prelude has its own messaging protocol. It picks things out of its=20 configuration files to fill in various fields in its data packets. So, if= you=20 have the audit-prelude sensor reading aggregated logs, it won't know thes= e=20 are coming from all over the place. To use prelude the way it wants to be setup, you would have the audisp-pr= elude=20 sensor on each machine sending to a central prelude-manager. Let audit se= nd=20 its data to its aggregator and prelude send its own data to its aggregato= r.=20 Yes, there will be duplication...but it will work better. -Steve