[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Consolidate Audit's msgs


I was wondering if there had already been an effort or solution to
consolidate msgs from auditd into a single line.
I'm talking about buffering the messages until EOE (or timing out/empty
buffer if EOE doesn't come on errors), and concatenating messages with
the same ID into a single message. Potentially also transforming the
message syntax while at it.

I'm asking because some loggers will only accept specific message formats.

I looked at the plugins, but, from what I gather, the kernel sends the
messages as raw strings and I'm not sure of the performance/memory
impact when auditd cranks out a lot of messages.

An alternative could be to send all the msgs as text to a remote auditd
host using audispd-remote, and processing the log file on that host.
It means even more messages to process however and I'm not sure the text
file interface will be fast enough/might have too much disk activity and
break often, etc. if auditd again, cranks out a lot of messages from
many hosts (like several thousand per second).

Any insight?

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]