Re: Audit Logs and EventLog Analyzer

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: John Dennis <jdennis@redhat.com>
To: Dan Gruhn <Dan.Gruhn@groupw.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit Logs and EventLog Analyzer
Date: Wed, 14 Jan 2009 14:08:15 -0500	[thread overview]
Message-ID: <496E381F.8050106@redhat.com> (raw)
In-Reply-To: <496E3579.4030505@groupw.com>

Dan Gruhn wrote:
> I'm currently using AdventNet's EventLog Analyzer for auditing of a 
> secure Windows machine and thought it would be nice to use for a 
> secure RHEL 5.2 cluster as well since people would only need to use 
> one interface.  It seems to do well with the syslog entries, but I 
> don't see anything about getting the auditd/ audit.log entries into 
> it.  Can anyone point me to some information on how to do this or 
> should I give up on this and go the Prewikka route?
Isn't this a question for AdventNet?

* How do you currently get the syslog data into AdventNet? Are you 
directing AdventNet to read /var/log/message? Is AdventNet reading a 
syslog socket?

* Log analyzers need to understand the contents of a log file, does 
AdventNet know how to parse and interpret audit data?

Basically you can feed audit log data to an analyzer in two different 
ways, tell it to monitor the /var/log/audit/audit.log file or write a 
audispd plugin which sends the audit data to the analyzer (code is 
simple). But first you had better check AdventNet can parse and 
understand the data.

-- 
John Dennis <jdennis@redhat.com>

next prev parent reply	other threads:[~2009-01-14 19:08 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-01-14 18:56 Audit Logs and EventLog Analyzer Dan Gruhn
2009-01-14 19:08 ` John Dennis [this message]
2009-01-14 19:54   ` Dan Gruhn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=496E381F.8050106@redhat.com \
    --to=jdennis@redhat.com \
    --cc=Dan.Gruhn@groupw.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox