From: Steve Grubb <sgrubb@redhat.com>
To: burn@swtf.dyndns.org
Cc: linux-audit@redhat.com
Subject: Re: Advice on enriching logs with user and group names before moving them to a central log repository
Date: Sat, 18 Aug 2012 09:17:58 -0400 [thread overview]
Message-ID: <3709043.zekkNyqGVW@x2> (raw)
In-Reply-To: <1344592289.19273.30.camel@swtf>
On Friday, August 10, 2012 07:51:29 PM Burn Alting wrote:
> Steve,
>
> I will go ahead with my audispd child program that enriches logs and use
> rsyslog to get them to a central repository.
> I also plan to concatenate all messages belonging to the same event (ie
> time:event_id) and send this as one syslog message to the central
> repository.
> I'd rather do this on the client systems rather than at my central
> repository, in order to gain benefits from effectively, distributed
> processing.
>
> I have some concerns though:
> - Does the concatenation of messages belonging to one event, outside
> of bad code on my part, have some non-obvious risks (from those of you
> who have done this?)
The only problem might be that you will no longer be able to use any of the
native reporting tools. If you don't use them anyways, then no problem.
> - I intend that my code will have as small an overhead as I can, but
> do I risk issues such as overruns of the audispd queue?
Yes. You need to make it multi threaded if you do experience overflows with one
thread dequeueing and another processing.
> - Do messages from different events ever get intermixed in the
> output via audispd? And hence I need to cater for multiple simultaneous
> events streaming in?
Yes. This is a big problem. About 2 years ago I fixed this in ausearch/report.
I started to fix this in libauparse but then I remembered it has this state
machine in it to deal with the feed interface. I didn't write that code so it
will take some time for me to figure out what it doing before fixing this
problem. But basically you need a list of lists where each list is a
collection of records that form one event.
> I will contribute my code to this list for what's it worth once I've
> completed it ... perhaps it can be added to the contrib/plugin tree
> given it passes this list's peer review.
I do plan to solve this problem at some point. Fixing the libauparse issue
mentioned above is higher on my priority list.
-Steve
prev parent reply other threads:[~2012-08-18 13:17 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-02 10:54 Advice on enriching logs with user and group names before moving them to a central log repository Burn Alting
2012-08-02 13:54 ` John Dennis
2012-08-02 16:26 ` Guillaume Destuynder
2012-08-02 21:12 ` Miloslav Trmac
2012-08-02 21:19 ` John Dennis
2012-08-06 17:51 ` Steve Grubb
2012-08-10 9:51 ` Burn Alting
2012-08-10 16:57 ` Michael Mather
2012-08-18 13:17 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3709043.zekkNyqGVW@x2 \
--to=sgrubb@redhat.com \
--cc=burn@swtf.dyndns.org \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox