From mboxrd@z Thu Jan 1 00:00:00 1970 From: John Dennis Subject: Re: Audit Logs and EventLog Analyzer Date: Wed, 14 Jan 2009 14:08:15 -0500 Message-ID: <496E381F.8050106@redhat.com> References: <496E3579.4030505@groupw.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <496E3579.4030505@groupw.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Dan Gruhn Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Dan Gruhn wrote: > I'm currently using AdventNet's EventLog Analyzer for auditing of a > secure Windows machine and thought it would be nice to use for a > secure RHEL 5.2 cluster as well since people would only need to use > one interface. It seems to do well with the syslog entries, but I > don't see anything about getting the auditd/ audit.log entries into > it. Can anyone point me to some information on how to do this or > should I give up on this and go the Prewikka route? Isn't this a question for AdventNet? * How do you currently get the syslog data into AdventNet? Are you directing AdventNet to read /var/log/message? Is AdventNet reading a syslog socket? * Log analyzers need to understand the contents of a log file, does AdventNet know how to parse and interpret audit data? Basically you can feed audit log data to an analyzer in two different ways, tell it to monitor the /var/log/audit/audit.log file or write a audispd plugin which sends the audit data to the analyzer (code is simple). But first you had better check AdventNet can parse and understand the data. -- John Dennis