Auditd 1.0.15 in RHEL4 U4
Steve Grubb
sgrubb at redhat.com
Tue Feb 13 02:29:48 UTC 2007
On Monday 12 February 2007 08:54, Matthew Booth wrote:
> Will this work without any other 4.5 updates?
Yes.
> Also, I had a quick flick through the dispatcher example. I note that
> it's shipping binary logs.
Hmm. I don't recall any binary logs in examples...are you sure?
> This is great from a storage POV, however it wasn't clear to me how this
> would tie in with the existing audit tools. If I simply dump the binary data
> to a file, can I easily:
>
> * Turn it into text?
> * Process it with aureport/ausearch?
Need the answer to the above before I can answer this. But then again...I
would not release anything that did binary formats without having the whole
thing tied together. IOW, I would release something that could read as well
as write a binary format. And I don't recall doing any binary format work.
> Also, that you're aware of, has anybody already implemented the simplest
> possible centralised log server. ie:
>
> * Stream uncompressed, unencrypted, unauthenticated audit logs to server
> * Write 1 log file per client audit daemon
> * Rotate on signal, respecting message boundaries
I believe so. I think the SNARE guys wrote a perl script that uses the
realtime interface and transfers data to their centralized logger.
> I'll be writing this if not.
Well, in about a week we'll be releasing a new & improved event dispatcher
that will allow multiple programs to hang off it and then we'll start looking
into a centralized collection system, too.
-Steve
More information about the Linux-audit
mailing list