Advice on enriching logs with user and group names before moving them to a central log repository
Michael Mather
michael.mather at teksavvy.com
Fri Aug 10 16:57:11 UTC 2012
On Fri, 2012-08-10 at 19:51 +1000, Burn Alting wrote:
> Steve,
>
> I will go ahead with my audispd child program that enriches logs and
> use rsyslog to get them to a central repository.
> I also plan to concatenate all messages belonging to the same event
> (ie time:event_id) and send this as one syslog message to the central
> repository.
> I'd rather do this on the client systems rather than at my central
> repository, in order to gain benefits from effectively, distributed
> processing.
>
This sounds very useful, Burn.
In an EXECVE message there is something like:
args=2 a0="ls" a1="/etc"
It would be nice if this could be changed to something like
command="ls /etc".
One problem is that the shell script interprets wild cards before auditd
sees the command, and that can lead to long strings. So maybe that
situation could become something like:
something="ls /etc/aaa /etc/bbb /etc/ccc ..."
In most cases a human reader would recognise what is happening.
Also, sometimes the parameters are in hex instead of strings. For
example, when the parameter contains quotes.
Michael
-------
More information about the Linux-audit
mailing list