From: Steve Grubb <sgrubb@redhat.com>
To: Burn Alting <burn.alting@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: New draft standards
Date: Tue, 15 Dec 2015 08:46:38 -0500 [thread overview]
Message-ID: <8060196.OPZyc9AaGl@x2> (raw)
In-Reply-To: <CANg1mKc1cFDvgqW6zLoKc4qAvTnmSRE9MtMCv7LuW_cTHq192w@mail.gmail.com>
On Tuesday, December 15, 2015 09:12:54 AM Burn Alting wrote:
> I use a proprietary ELK-like system based on ausearch's -i option. I would
> like to see some variant outputs from ausearch that "packages" events into
> parse-friendly formats (json, xml) that also incorporates the local
> transformations Steve proposes. I believe this would be the most generic
> solution to support centralised log management.
>
> I am travelling now, but can write up a specification for review next week.
Yes, please do send something to the mail list for people to look at and
comment on.
If anyone wants to help influence future direction and does not want to do it
on the list, please contact me offlist and let me know how you aggregate logs.
We have to address central log aggregation and I would like to see what the
majority are using to know where effort would be best spent.
I did run across this page in my survey:
http://buildoop.github.io/
It mentions audit log processing. No idea if anyone is using this either.
-Steve
> On 15 Dec 2015 4:13 am, <Kevin.Dienst@usbank.com> wrote:
> > ELK
> > Splunk
> >
> > We use a proprietary vendor product that migrates data into an HDFS store
>
> via RabbitMQ based collectors and dumps them in raw form. From there I have
> access to all the usual "big data" tools albeit I'm not using Flume just
> yet, we're still trying to get a handle on operationalizing all the various
> big data component so that data science developers can focus on development
> instead of operations and support of the hardware/software ecosystem.
next prev parent reply other threads:[~2015-12-15 13:46 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-08 19:22 New draft standards Steve Grubb
2015-12-08 19:58 ` Paul Moore
2015-12-08 20:25 ` Steve Grubb
2015-12-09 0:28 ` Paul Moore
2015-12-09 1:43 ` Burn Alting
2015-12-10 22:49 ` Steve Grubb
2015-12-10 22:59 ` Paul Moore
2015-12-15 5:11 ` Richard Guy Briggs
2015-12-10 4:35 ` Steve Grubb
2015-12-10 16:50 ` Paul Moore
2015-12-10 17:40 ` F Rafi
2015-12-14 15:34 ` Steve Grubb
2015-12-14 16:38 ` Joe Wulf
2015-12-14 17:01 ` Kevin.Dienst
2015-12-14 22:12 ` Burn Alting
2015-12-15 13:46 ` Steve Grubb [this message]
2015-12-18 5:12 ` Burn Alting
2015-12-23 22:44 ` Burn Alting
2015-12-26 16:38 ` Steve Grubb
2015-12-27 0:30 ` Burn Alting
2015-12-27 15:06 ` Steve Grubb
2015-12-28 7:24 ` Burn Alting
2015-12-29 19:28 ` LC Bruzenak
2015-12-08 20:49 ` Richard Guy Briggs
2015-12-08 21:28 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8060196.OPZyc9AaGl@x2 \
--to=sgrubb@redhat.com \
--cc=burn.alting@gmail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox