Remotely logging audit rules.

Steve Grubb sgrubb at redhat.com
Wed Nov 2 13:31:10 UTC 2005


On Tuesday 01 November 2005 18:31, Stephen J. Smoogen wrote:
> I got a development request to see how much work it would take to do.
> Our policy wags want to have all object audit events (or whatever the
> real term for that is...)  to be sent both locally and remotely.

This is in the works for future versions of audit. We should have it some time 
around the 1.2 or 1.3 release.

> My 5000 foot question is how would the best way to implement this be?
> For the current RHEL 4 I would probably need some sort of tail -f xxx
> | logger type script.

This could be very inefficient and create duplicate records. If you wait a 
week or so, we should be at 1.1 which introduces audisp. This is the audit 
event dispatcher. You will be able to replace it with anything you chose 
since its a config option. You could hack together a script to record those 
remotely.

-Steve




More information about the Linux-audit mailing list