From: John Dennis <jdennis@redhat.com>
To: Miloslav Trmac <mitr@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: Advice on enriching logs with user and group names before moving them to a central log repository
Date: Thu, 02 Aug 2012 17:19:56 -0400 [thread overview]
Message-ID: <501AEEFC.6020301@redhat.com> (raw)
In-Reply-To: <378292340.14664596.1343941945408.JavaMail.root@redhat.com>
On 08/02/2012 05:12 PM, Miloslav Trmac wrote:
> I'm not 100% sure what you mean, but is perhaps
> auparse_interpret_field what you are looking for? It returns an
> "intepreted" (as opposed to "raw") version of the field, e.g. a name
> instead of an UID.
Yes, that's the correct function to call. However it should be done by a
plugin which iterates over all the items and adds an interpreted result
to the raw result. For long term detached audit purposes you need both
the raw and interpreted value. The plugin then emits the augmented data
containing both the raw and interpreted values.
--
John Dennis <jdennis@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
next prev parent reply other threads:[~2012-08-02 21:19 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-02 10:54 Advice on enriching logs with user and group names before moving them to a central log repository Burn Alting
2012-08-02 13:54 ` John Dennis
2012-08-02 16:26 ` Guillaume Destuynder
2012-08-02 21:12 ` Miloslav Trmac
2012-08-02 21:19 ` John Dennis [this message]
2012-08-06 17:51 ` Steve Grubb
2012-08-10 9:51 ` Burn Alting
2012-08-10 16:57 ` Michael Mather
2012-08-18 13:17 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=501AEEFC.6020301@redhat.com \
--to=jdennis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=mitr@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox