From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: audisp-remote and audisp-prelude question
Date: Tue, 24 Mar 2009 12:41:41 -0400
Message-ID: <200903241241.41529.sgrubb@redhat.com>
References: <200902271033.21486.sgrubb@redhat.com>
	<200902271156.55861.sgrubb@redhat.com>
	<1237912188.9480.258.camel@homeserver>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from x2.localdomain (vpn-232-139.phx2.redhat.com [10.3.232.139])
	by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id q59Efuvj006658
	for <linux-audit@redhat.com>; Sat, 9 Jun 2012 10:41:56 -0400
In-Reply-To: <1237912188.9480.258.camel@homeserver>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday 24 March 2009 12:29:48 LC Bruzenak wrote:
> On the prewikka screen I only see the second event.

prelude is its own protocol and picks out certain data from its config files and 
puts in its packets. The intended use is each machine sends its prelude alerts 
to a common prelude manager. Each audit event is sent to its aggregator. The 
two systems diverge at audispd.

kernel->auditd->audispd-+->audisp-prelude->prelude-manager
                                               +->audisp-remote->auditd

-Steve