* question on syslog-ng and auditd
@ 2011-10-26 19:12 larry.erdahl
2011-10-26 21:35 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: larry.erdahl @ 2011-10-26 19:12 UTC (permalink / raw)
To: Linux-audit
I want to send my auditd messages to our local log collector via
syslog-ng, what is the recommended why of doing this? Can I enter
syslog-ng as the dispatcher or do I need to first send the logs to disk
then read from the audit.log file. I have no reason to store these
messages on disk. This might be out of the realm of this group , but any
syslog-ng config recommendation would be appreciated.
As you can see from my question I'm a novice when it comes to auditd and
syslog-ng. I've read all resource materials found in
/usr/share/doc/packages/audit and googled a lot of good information and
have learned a great deal from monitoring this forum, but I'm still
struggling with auditd. Does anyone know if Redhat or anyone else offers
training for auditd or can you recommend any books that might help?
Thanks...
Larry E. Erdahl
Information Security Services
Computer Security Incident Response Team (CSIRT)
1 Meridian Crossing
Richfield, MN 55423
Mail Code: EP-MN-MS6I
Office Phone: (612)973-7153
U.S. BANCORP made the following annotations
---------------------------------------------------------------------
Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation.
---------------------------------------------------------------------
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: question on syslog-ng and auditd
2011-10-26 19:12 question on syslog-ng and auditd larry.erdahl
@ 2011-10-26 21:35 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2011-10-26 21:35 UTC (permalink / raw)
To: linux-audit
On Wednesday, October 26, 2011 03:12:44 PM larry.erdahl@usbank.com wrote:
> I want to send my auditd messages to our local log collector via
> syslog-ng, what is the recommended why of doing this?
If the auditd daemon never starts up, the events go to syslog by default. All you need
to do is come up with a way for the rules to get loaded. If that is not good, there is
a syslog plugin for audispd that will send events to syslog. You can also configure
auditd not to write to disk.
> Can I enter syslog-ng as the dispatcher
No. It wouldn't know how to interpret the data stream.
> Does anyone know if Redhat or anyone else offers training for auditd or can you
> recommend any books that might help?
I just posted a set of slides from a recent speech here:
http://people.redhat.com/sgrubb/audit/audit_ids_2011.pdf
It gives a good review of how it works. Also, the CAPP/LSPP cert rpms have some admin
guidance on the audit system as does the security target that went with the certs.
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-10-26 21:35 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-10-26 19:12 question on syslog-ng and auditd larry.erdahl
2011-10-26 21:35 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox