Thoughts on adding sd-journal as a log_format to auditd
Eric Paris
eparis at redhat.com
Wed Mar 20 20:58:53 UTC 2013
On Fri, 2013-03-15 at 12:54 -0400, Steve Grubb wrote:
> On Friday, March 15, 2013 11:22:50 AM Miloslav Trmac wrote:
> > ----- Original Message -----
> >
> > > 2) Write an audispd plugin that used the sd-journal API to store
> > >
> > > audit events in the journal.
> > >
> > > 3) Add sd-journal as a log format to auditd.
> >
> > Both of these will run into the problem recently discussed on this mailing
> > list: the available methods to parse an audit records into fields are a bit
> > imprecise/"lossy" because not all records keep the name=value format as
> > expected.
>
> I don't think this is a problem to worry about. A plugin is handed the whole
> event line by line. To push events you don't need to parse. The real issue is
> later...running reports.
>
> I also thought there was some patch presented on this list sometime in the
> last month to allow journald to listen for audit events directly.
That's correct. There is work to pass audit messages directly from the
kernel to the journal. But it isn't ready. Today, your best bet if you
are doing it yourself is any of the above, but I don't know which one...
More information about the Linux-audit
mailing list