Audit Parsing Library Requirements
Steve Grubb
sgrubb at redhat.com
Mon Mar 13 23:05:21 UTC 2006
On Monday 13 March 2006 17:51, Kevin Carr wrote:
> Another item that came up here at Tresys is the ability to do log
> monitoring.
As an aside...this is not the recommended thing to do since every access of
the audit logs are an auditable event. If you have to do real-time
monitoring, I would suggest using the audit event dispatcher interface. That
gets all audit events in realtime. The parsing specs we are defining right
now also take a buffer as an input source so that they can be used to examine
events passed via the event dispatcher.
> After our initial parse/search routine, we would like to be able to check
> every so often to see if new messages have been generated and then display
> the messages if they match our search criteria.
This sounds like a 100% fit for the audit event interface.
-Steve
More information about the Linux-audit
mailing list