Audit Logs and EventLog Analyzer

Audit Logs and EventLog Analyzer

[Dan Gruhn]

I'm currently using AdventNet's EventLog Analyzer for auditing of a 
secure Windows machine and thought it would be nice to use for a secure 
RHEL 5.2 cluster as well since people would only need to use one 
interface.  It seems to do well with the syslog entries, but I don't see 
anything about getting the auditd/ audit.log entries into it.  Can 
anyone point me to some information on how to do this or should I give 
up on this and go the Prewikka route?

Thanks,

Dan

Re: Audit Logs and EventLog Analyzer

[John Dennis]

Dan Gruhn wrote:
> I'm currently using AdventNet's EventLog Analyzer for auditing of a 
> secure Windows machine and thought it would be nice to use for a 
> secure RHEL 5.2 cluster as well since people would only need to use 
> one interface.  It seems to do well with the syslog entries, but I 
> don't see anything about getting the auditd/ audit.log entries into 
> it.  Can anyone point me to some information on how to do this or 
> should I give up on this and go the Prewikka route?
Isn't this a question for AdventNet?

* How do you currently get the syslog data into AdventNet? Are you 
directing AdventNet to read /var/log/message? Is AdventNet reading a 
syslog socket?

* Log analyzers need to understand the contents of a log file, does 
AdventNet know how to parse and interpret audit data?

Basically you can feed audit log data to an analyzer in two different 
ways, tell it to monitor the /var/log/audit/audit.log file or write a 
audispd plugin which sends the audit data to the analyzer (code is 
simple). But first you had better check AdventNet can parse and 
understand the data.


-- 
John Dennis <jdennis@redhat.com>

Re: Audit Logs and EventLog Analyzer

[Dan Gruhn]

John Dennis wrote:
> Dan Gruhn wrote:
>> I'm currently using AdventNet's EventLog Analyzer for auditing of a 
>> secure Windows machine and thought it would be nice to use for a 
>> secure RHEL 5.2 cluster as well since people would only need to use 
>> one interface.  It seems to do well with the syslog entries, but I 
>> don't see anything about getting the auditd/ audit.log entries into 
>> it.  Can anyone point me to some information on how to do this or 
>> should I give up on this and go the Prewikka route?
> Isn't this a question for AdventNet?
I have posted the same question on their forum.
>
> * How do you currently get the syslog data into AdventNet? Are you 
> directing AdventNet to read /var/log/message? Is AdventNet reading a 
> syslog socket?
The EventLog Analyzer (ELA) is monitoring port 6514 to receive 
information that would normally go to rsyslog (it could use 514, but I 
wanted to keep it separate).
>
> * Log analyzers need to understand the contents of a log file, does 
> AdventNet know how to parse and interpret audit data?
As far as I can tell from reading through their forums and website it 
doesn't currently handle the audit.log format.
>
> Basically you can feed audit log data to an analyzer in two different 
> ways, tell it to monitor the /var/log/audit/audit.log file or write a 
> audispd plugin which sends the audit data to the analyzer (code is 
> simple). But first you had better check AdventNet can parse and 
> understand the data.
A pointer to a HowTo on audispd plugins would be appreciated, but I 
thought perhaps someone had already done this and I wouldn't have to 
write something on my own.  You can't blame a guy for hoping.

Dan