From mboxrd@z Thu Jan 1 00:00:00 1970 From: Lev Stipakov Subject: Re: Auditing network traffic Date: Thu, 21 Jan 2016 22:49:37 +0200 Message-ID: <56A14461.2020109@gmail.com> References: <3655233.WIOkSfVQiu@x2> <56A0A999.9090401@gmail.com> <13584577.zLtyaCJgkZ@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <13584577.zLtyaCJgkZ@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb , linux-audit@redhat.com List-Id: linux-audit@redhat.com On 21.01.2016 18:50, Steve Grubb wrote: > I'd say it would be better because you don't have to do nearly as much work. > The kernel takes care of all the heavy lifting and you just filter on > NETFILTER_PKT events. Good to know, thanks! > There are plenty of examples of how to do logging of netfilter events. You can > just copy the examples and substitute AUDIT as the target (but you have to add > a --type argument after it). A couple examples I found after a quick search: Sorry, I probably was not clear here. I am able to catch packets by adding iptables rules like ones you've mentioned and process events (with record type AUDIT_NETFILTER_PKT) by code inside my plugin. The problem is, I would prefer them not to be written to logfiles. My business logic does not require that (everything is handled by plugin code), and I noticed that logs are rotated quite fast (I capture all incoming/outgoing packets). So, is there any way to disable logging and make audit deliver those events to plugin only? -Lev