From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Loredan Stancu" <loredan.stancu@myclar.ro>
Subject: Re: audisp-prelude problems
Date: Wed, 3 Dec 2008 18:53:19 +0200 (EET)
Message-ID: <49424.193.230.245.33.1228323199.squirrel@secure.myclar.ro>
Mime-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id mB3GuCxF018829
	for <linux-audit@redhat.com>; Wed, 3 Dec 2008 11:56:12 -0500
Received: from mail.myclar.ro (mail.myclar.ro [86.120.65.74])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id mB3GtvZ0029309
	for <linux-audit@redhat.com>; Wed, 3 Dec 2008 11:55:57 -0500
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

> On Wed, 2008-12-03 at 17:28 +0200, Loredan Stancu wrote:
>
>>
>> I know how to activate the audisp-plugin, what I asked is how can I us=
e
>> it.
>>
>> What I need is an example of an application which can stay on the remo=
te
>> host, listen for incoming events send by audisp-remote plugin and stor=
e
>> these events in a regular file.
>
> OK.
> That's what the auditd does if the remote host is also SElinux.
>
> So - next questions:
>
> * Is the remote host not a SElinux machine? You'd need to emulate the
> protocol on the receive side.
>
> * If it is a SElinux machine (F9/F10/other?), do you want the
> originating events in a different place than the default? Like separate=
d
> by sending host instead of lumped together with the other audit?
>
> If the latter is the case, there are ways of doing this now depending o=
n
> your intent.

Supposing the remote system is an SElinux machine (a machine which stores
all the user activity send by audisp-remote plugins. There are more then
one machine for which I want to store events) what should I do on this
machine to keep separate file events for each machine

> Also this is an area Steve has discussed may be open for modification.
> The auditd on the aggregating side may be able to separate data based o=
n
> other criteria per user feedback.
>
> LCB.
>
> --
> LC (Lenny) Bruzenak
> lenny@magitekltd.com
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>