From: John Dennis <jdennis@redhat.com>
To: LC Bruzenak <lenny@magitekltd.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH] Add auditd listener and remote audit protocol
Date: Thu, 14 Aug 2008 19:37:32 -0400 [thread overview]
Message-ID: <48A4C1BC.3060309@redhat.com> (raw)
In-Reply-To: <1218756409.7022.255.camel@homeserver>
LC Bruzenak wrote:
> Thank you; I get it now.
> This is about to get interesting! :)
>
> Not certain why I didn't get it the first time, but for some reason I
> had not considered sending the events into the auditd loop.
> I was thinking of just aggregating the logfiles. Now it makes sense.
>
> My one auditd machine gets very busy occasionally - I sometimes drop
> events (rather than abort for a development machine) even after
> ratcheting up my event queue to 8K. Often this is due to an error I've
> introduced with too-general rules, so this is also not definitive.
>
> Now the question is what happens if the network hiccups and I cannot
> send the events from a client? I could still write the events to the
> local disk, but them getting them onto the intended aggregator is now
> tricky right? Will the sender keep track of the last event sent and
> recover once the connection is restored?
>
> I'm not disputing the approach, just trying to look down the road
> knowing problems I've experienced myself. There are some definite
> benefits to this approach I see also - the log files now are "blended"
> and you don't have to do any special directory hierarchy to accommodate
> the other events, for one.
>
This is why the IPA project has selected AMQP (www.amqp.org) as the
transport for centralized loggiing (included audit logs). AMQP will
queue in persistent storage messages which do not reach their
destination until delivery is assured. The thinking was AMQP was too
heavy weight a dependency for a simple centralized audit log but makes
sense in an enterprise deployment such as IPA.
--
John Dennis <jdennis@redhat.com>
next prev parent reply other threads:[~2008-08-14 23:37 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-14 21:43 [PATCH] Add auditd listener and remote audit protocol DJ Delorie
2008-08-14 21:58 ` LC Bruzenak
2008-08-14 22:16 ` DJ Delorie
2008-08-14 23:00 ` John Dennis
2008-08-14 23:02 ` LC Bruzenak
2008-08-14 23:16 ` John Dennis
2008-08-14 23:55 ` Steve Grubb
2008-08-14 23:16 ` DJ Delorie
2008-08-14 23:26 ` LC Bruzenak
2008-08-14 23:37 ` John Dennis [this message]
2008-08-14 23:50 ` LC Bruzenak
2008-08-15 0:07 ` Steve Grubb
2008-08-15 0:22 ` LC Bruzenak
2008-08-15 0:27 ` Steve Grubb
2008-08-15 0:31 ` LC Bruzenak
2008-08-15 0:36 ` DJ Delorie
2008-08-15 0:41 ` LC Bruzenak
2009-09-29 17:52 ` LC Bruzenak
2009-09-29 18:51 ` Norman Mark St. Laurent
2009-09-29 19:14 ` LC Bruzenak
2009-09-29 19:27 ` Steve Grubb
2008-08-15 0:23 ` DJ Delorie
2008-08-15 0:04 ` Steve Grubb
2008-08-15 0:19 ` DJ Delorie
2008-08-15 0:23 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48A4C1BC.3060309@redhat.com \
--to=jdennis@redhat.com \
--cc=lenny@magitekltd.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox