Absolute path names in PATH records
John Dennis
jdennis at redhat.com
Mon Jul 2 21:22:25 UTC 2007
On Mon, 2007-07-02 at 22:02 +0100, Matthew Booth wrote:
> On Mon, 2007-07-02 at 16:43 -0400, John Dennis wrote:
> > The audit parsing library (auparse) can reassemble independent
> > records into a single event (but currently only if the records occur
> > sequentially, non-sequential record assembly is a future feature).
>
> I'm evaluating a third party product (RSA's enVision) for handling large
> volumes of audit data from large numbers of hosts. I'm delivering audit
> records to it from a custom auditd which does little other than wrap the
> records it receives as syslog and sending it in a UDP packet to the
> collector. This is for performance reasons as we're generating a lot of
> audit data. Post-processing with auparse would require either doing this
> inline, on-node, which I don't think would be feasible because of
> performance, or running it on the enVision appliance, which definitely
> isn't feasible as it runs Windows ;) enVision can plug things back
> together, but again it's limited in what it can do in-line for
> performance reasons. It would be easiest all-round if we got the
> information pre-digested.
A few quick points:
enVision can only reassemble records into event if you are transmitting
the record header information, are you? If so and enVision can properly
interpret the header and coalesce matching headers you're all set.
There is a lot of planned work surrounding aggregate auditing from
multiple hosts, perhaps not relevant to the current evaluation of
enVision, but be aware this technology area is in high churn.
For example the current audit system now allows for interested third
parties to monitor audit information, no need for custom audit daemons,
there is a well defined framework for monitoring.
--
John Dennis <jdennis at redhat.com>
More information about the Linux-audit
mailing list