From: John Dennis <jdennis@redhat.com>
To: burn@swtf.dyndns.org
Cc: linux-audit@redhat.com
Subject: Re: Advice on enriching logs with user and group names before moving them to a central log repository
Date: Thu, 02 Aug 2012 09:54:46 -0400 [thread overview]
Message-ID: <501A86A6.1020004@redhat.com> (raw)
In-Reply-To: <1343904854.4074.76.camel@swtf>
On 08/02/2012 06:54 AM, Burn Alting wrote:
> Hi,
>
> I have a scenario of a mixed collection of Linux systems, some that have
> users authenticate via a central ldap, others have local (/etc/passwd)
> authentication.
> This means I cannot 100% depend that the user name say, fred, with uid
> 1000, has the same uid on every machine he has an account on. Thus
> before I send my logs to
> a central server, I want to enrich them with user and group names I
> validate at the local machine. That is, I want to change an event's ids from
>
> .... uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=43
> sgid=43 fsgid=43 ....
>
> to
>
> .... uid=1000(fred) gid=1000(prog) euid=1000(fred) suid=1000(fred)
> fsuid=1000(fred) egid=43(utmp) sgid=43(utmp) fsgid=43(utmp) ....
>
>
> I BELIEVE my best approach is use the event multiplexor (audispd) to
> convert raw logs via a child program, say based on the sample code,
> audisp-example (i.e. using the auparse library)
> and send the output of this audisp-example variant to syslog to get
> the event to a central repository.
>
> Is this the best approach?
>
> Are there parameters I should consider for audisp.conf (e.g. q_depth =
> 99999)? Does such a configuration option in audisp.conf suggest I make
> the buffer size set in audit.rules to something higher?
>
> Is there any consideration to having auditd have a option to directly
> generate user and group names in addition to uid and gids?
A while ago we were actively working on central log aggregation and ran
into exactly this problem. There are a number of items in an audit log
whose value can only be interpreted on the machine the event occurred on
and at the moment the event occurs (or within a short duration).
There were plans to author a audit plugin that would augment the data
items with their (interpreted) value. I'm not sure whatever happened to
that plugin. Steve, can you elaborate?
--
John Dennis <jdennis@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
next prev parent reply other threads:[~2012-08-02 13:54 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-02 10:54 Advice on enriching logs with user and group names before moving them to a central log repository Burn Alting
2012-08-02 13:54 ` John Dennis [this message]
2012-08-02 16:26 ` Guillaume Destuynder
2012-08-02 21:12 ` Miloslav Trmac
2012-08-02 21:19 ` John Dennis
2012-08-06 17:51 ` Steve Grubb
2012-08-10 9:51 ` Burn Alting
2012-08-10 16:57 ` Michael Mather
2012-08-18 13:17 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=501A86A6.1020004@redhat.com \
--to=jdennis@redhat.com \
--cc=burn@swtf.dyndns.org \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox