From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Gruhn Subject: Re: Audit Logs and EventLog Analyzer Date: Wed, 14 Jan 2009 14:54:17 -0500 Message-ID: <496E42E9.8090402@groupw.com> References: <496E3579.4030505@groupw.com> <496E381F.8050106@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n0EJsYJH015585 for ; Wed, 14 Jan 2009 14:54:34 -0500 Received: from smtp.group-w-inc.com (group-w-inc.com [70.164.45.3]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n0EJsI4e000678 for ; Wed, 14 Jan 2009 14:54:18 -0500 Received: from smtp.group-w-inc.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with ESMTP id DC7A6DA009F for ; Wed, 14 Jan 2009 14:54:17 -0500 (EST) Received: from [10.1.1.218] (dgruhn-f9.group-w-inc.com [10.1.1.218]) by smtp.group-w-inc.com (Postfix) with ESMTP id A688BDA0094 for ; Wed, 14 Jan 2009 14:54:17 -0500 (EST) In-Reply-To: <496E381F.8050106@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com John Dennis wrote: > Dan Gruhn wrote: >> I'm currently using AdventNet's EventLog Analyzer for auditing of a >> secure Windows machine and thought it would be nice to use for a >> secure RHEL 5.2 cluster as well since people would only need to use >> one interface. It seems to do well with the syslog entries, but I >> don't see anything about getting the auditd/ audit.log entries into >> it. Can anyone point me to some information on how to do this or >> should I give up on this and go the Prewikka route? > Isn't this a question for AdventNet? I have posted the same question on their forum. > > * How do you currently get the syslog data into AdventNet? Are you > directing AdventNet to read /var/log/message? Is AdventNet reading a > syslog socket? The EventLog Analyzer (ELA) is monitoring port 6514 to receive information that would normally go to rsyslog (it could use 514, but I wanted to keep it separate). > > * Log analyzers need to understand the contents of a log file, does > AdventNet know how to parse and interpret audit data? As far as I can tell from reading through their forums and website it doesn't currently handle the audit.log format. > > Basically you can feed audit log data to an analyzer in two different > ways, tell it to monitor the /var/log/audit/audit.log file or write a > audispd plugin which sends the audit data to the analyzer (code is > simple). But first you had better check AdventNet can parse and > understand the data. A pointer to a HowTo on audispd plugins would be appreciated, but I thought perhaps someone had already done this and I wouldn't have to write something on my own. You can't blame a guy for hoping. Dan