[Freeipa-devel] Feedback requested on Audit piece of IPA
Karl Wirth
kwirth at redhat.com
Wed Jul 16 19:45:37 UTC 2008
Hi,
Currently we identified that audit system in general can be targeted to:
*Collect data from different sources
*Consolidate data into a combined storage
*Provide effective tools to analyze collected data
*Archive collected data including signing and compression
*Restore data from archives for audit purposes or analyses
We need your feedback on a couple of questions:
1) Should we store structured log data for analysis, original log data,
or both
- To do analysis of the log data, it would be better to structure it and
store it.
- But structured data is not the same as the original log file that it
was taken from. Do we need the original log file format for reasons of
compliance or can we throw it away?
- Storing both parsed and unparsed data will have significant storage
impact.
2) Should we parse the data into a structure format locally or back on
IPA server?
- Parsing locally and passing both parsed and original log data will
increase network traffic but reduce load on server
3) What is the scope of what should be included in the audit data in
addition to what we will get from syslog, rsyslog, auditd, etc. Those
will give us data like user access to a system, keystrokes, etc. What
beyond that is needed. For example, is the following needed: Files user
accessed on a system
Regards,
Karl
More information about the Freeipa-devel
mailing list