Re: question on syslog-ng and auditd

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: question on syslog-ng and auditd
Date: Wed, 26 Oct 2011 17:35:37 -0400	[thread overview]
Message-ID: <201110261735.37302.sgrubb@redhat.com> (raw)
In-Reply-To: <OF9C1C7795.5F4FC987-ON88257935.0066E547-86257935.0069895C@usbank.com>

On Wednesday, October 26, 2011 03:12:44 PM larry.erdahl@usbank.com wrote:
> I want to send my auditd messages to our local log collector via
> syslog-ng, what is the recommended why of doing this? 

If the auditd daemon never starts up, the events go to syslog by default. All you need 
to do is come up with a way for the rules to get loaded. If that is not good, there is 
a syslog plugin for audispd that will send events to syslog. You can also configure 
auditd not to write to disk.

> Can I enter syslog-ng as the dispatcher 

No. It wouldn't know how to interpret the data stream.

> Does anyone know if  Redhat or anyone else offers training for auditd or can you
> recommend any books that might help?

I just posted a set of slides from a recent speech here:
http://people.redhat.com/sgrubb/audit/audit_ids_2011.pdf

It gives a good review of how it works. Also, the CAPP/LSPP cert rpms have some admin 
guidance on the audit system as does the security target that went with the certs.

-Steve

     prev parent reply	other threads:[~2011-10-26 21:35 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-10-26 19:12 question on syslog-ng and auditd larry.erdahl
2011-10-26 21:35 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201110261735.37302.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox