Re: Auditing network traffic

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Lev Stipakov <lstipakov@gmail.com>
To: Steve Grubb <sgrubb@redhat.com>, linux-audit@redhat.com
Subject: Re: Auditing network traffic
Date: Thu, 21 Jan 2016 22:49:37 +0200	[thread overview]
Message-ID: <56A14461.2020109@gmail.com> (raw)
In-Reply-To: <13584577.zLtyaCJgkZ@x2>

On 21.01.2016 18:50, Steve Grubb wrote:

> I'd say it would be better because you don't have to do nearly as much work.
> The kernel takes care of all the heavy lifting and you just filter on
> NETFILTER_PKT events.

Good to know, thanks!

> There are plenty of examples of how to do logging of netfilter events. You can
> just copy the examples and substitute AUDIT as the target (but you have to add
> a --type argument after it). A couple examples I found after a quick search:

Sorry, I probably was not clear here. I am able to catch packets by 
adding iptables rules like ones you've mentioned and process events 
(with record type AUDIT_NETFILTER_PKT) by code inside my plugin.

The problem is, I would prefer them not to be written to logfiles. My 
business logic does not require that (everything is handled by plugin 
code), and I noticed that logs are rotated quite fast (I capture all 
incoming/outgoing packets). So, is there any way to disable logging and 
make audit deliver those events to plugin only?

-Lev

next prev parent reply	other threads:[~2016-01-21 20:49 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-01-20 14:26 Auditing network traffic Lev Stipakov
2016-01-20 15:18 ` Steve Grubb
2016-01-20 15:29   ` Steve Grubb
2016-01-20 18:05     ` F Rafi
2016-01-20 18:30       ` Steve Grubb
2016-01-21  9:49     ` Lev Stipakov
2016-01-21 16:50       ` Steve Grubb
2016-01-21 20:49         ` Lev Stipakov [this message]
2016-01-21 22:09           ` Steve Grubb
2016-01-20 21:40 ` Paul Moore
2016-01-21  5:19 ` Peter Moody

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56A14461.2020109@gmail.com \
    --to=lstipakov@gmail.com \
    --cc=linux-audit@redhat.com \
    --cc=sgrubb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox