audisp-prelude problems
LC Bruzenak
lenny at magitekltd.com
Wed Dec 3 17:17:46 UTC 2008
On Wed, 2008-12-03 at 18:53 +0200, Loredan Stancu wrote:
> > On Wed, 2008-12-03 at 17:28 +0200, Loredan Stancu wrote:
> >
...
> Supposing the remote system is an SElinux machine (a machine which stores
> all the user activity send by audisp-remote plugins. There are more then
> one machine for which I want to store events) what should I do on this
> machine to keep separate file events for each machine
A couple of different ways to do this:
1: Leave the events in the original log but create new duplicates
- periodically parse using ausearch and filter the output on "node" to
different file (now)
- use the auparse library on logfiles - see audit-1.7.9/auparse/test/
for examples (custom)
- also possibly use the af_unix plugin as per setroubleshoot for event
access (custom)
- write a patch for a new audisp plugin (custom)
2: MY favorite: ask Steve how to make the aggregating side flexible in
this regard. We may need a BZ filed or a consensus about what is
important on this list. I also would like a separation based on time to
allow for an easier archive/restore capability...and maybe that built in
if possible!
:)
Separation based on node is also a potential "good thing".
Anyway, the point is if there was a official audit modification to
enable this, the data would not be duplicated as it would above.
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list