[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Audit Parsing Library Requirements



On Monday 13 March 2006 17:51, Kevin Carr wrote:
> Another item that came up here at Tresys is the ability to do log
> monitoring. 

As an aside...this is not the recommended thing to do since every access of 
the audit logs are an auditable event. If you have to do real-time 
monitoring, I would suggest using the audit event dispatcher interface. That 
gets all audit events in realtime. The parsing specs we are defining right 
now also take a buffer as an input source so that they can be used to examine 
events passed via the event dispatcher.

> After our initial parse/search routine, we would like to be able to check
> every so often to see if new messages have been generated and then display
> the messages if they match our search criteria.

This sounds like a 100% fit for the audit event interface.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]