missing avc message field names
Joshua Brindle
jbrindle at tresys.com
Wed Jan 31 05:29:44 UTC 2007
Karl MacMillan wrote:
> James Antill wrote:
>> On Tue, 2007-01-30 at 09:49 -0500, Karl MacMillan wrote:
>>> Steve Grubb wrote:
>>>> ausearch -m all --raw | grep anything you want
>>> tail -f happens to be my favorite counter example, but I am certain
>>> there are other useful tricks for monitoring logs that will break.
>>> Not to mention the number of log monitoring and aggregation tools
>>> that assume text logs.
>>
>> To be fair the new audit dispatcher already has a plugin that does the
>> same thing as "tail -f" without needing to call stat(), and that'll be
>> released before auditd has binary logs ... although one could certainly
>> argue that it's not as obvious, it seems like a small price.
>>
>
> So you will have that wheel reinvented soon - that still leaves many,
> many more that you have no control over.
Even with a tail replacement there has to be thousands of internally
written and maintained log monitoring and reporting apps that will
break, this is a fundamental change in how logging works on linux, not
something that can or should be changed on a whim (or otherwise).
More information about the Linux-audit
mailing list