missing avc message field names
Joshua Brindle
jbrindle at tresys.com
Tue Jan 30 17:06:06 UTC 2007
Karl MacMillan wrote:
>>> The biggest issue, of course, is that it would prevent the use of any
>>> tools that process the files as text (grep, tail, awk, seaudit,
>>> setroubleshoot, etc., etc.).
>>
>> ausearch -m all --raw | grep anything you want
>>
>
> tail -f happens to be my favorite counter example, but I am certain
> there are other useful tricks for monitoring logs that will break. Not
> to mention the number of log monitoring and aggregation tools that
> assume text logs.
This is fairly off topic here (selinux list) but I agree with Karl. As a
recovering admin I think I can say that admins expect to be able to use
various unix utilities to inspect log files, particularly tail -f. While
I'm all for applications putting their data in private data formats and
using tools and libraries to inspect them I think it is generally
considered that everything in /var/log is fair game to inspect with
anything available on systems (including perl, python, sed, awk, tail,
grep, etc).
You will certainly be rubbing most admins the wrong way by forcing them
through a different interface that won't support some common commands
like tail -f.
There are probably hundreds of utilities that look through these files
as well, what is going to happen when people try to add audit.log to a
log watcher that emails logs to them? Huge binary dumps in email are
going to make people turn off the audit daemon, not modify their apps to
use different tools/libraries.
More information about the Linux-audit
mailing list