missing avc message field names

[Russell Coker]

On Wednesday 31 January 2007 16:29, Joshua Brindle <jbrindle at tresys.com> 
wrote:
> Even with a tail replacement there has to be thousands of internally
> written and maintained log monitoring and reporting apps that will
> break, this is a fundamental change in how logging works on linux, not
> something that can or should be changed on a whim (or otherwise).

Most such programs assume that log files keep the same name until a cron job 
renames them.  The current practice of auditd rotating it's log files has 
probably broken the majority of such programs already.

Also Steve Grubb suggested having a configuration option for plain-text files 
which will avoid the problems with binary files.

If we work with the assumption that indexed log files are required for sites 
with significant audit requirements due to the volume of logs and the need to 
get responses in a reasonable amount of time then we have two options.  One 
is a binary format, the other is to have index files along-side the text 
files.

Having separate index files introduces complications for renaming and other 
file management (complexity is bad for reliability), even without the issue 
of the sys-admin wanting to rename their own log files.

So it seems that the option of a binary log file is required.

Maybe there should be an option to have auditd write a binary log file as well 
as either a text log file or logging via syslog?  That way the admin could 
have the index benefits of a binary log as well as having text files.  If 
there were two log files then the second copy wouldn't need to be written 
synchronously so the IO load would not double.

-- 
russell at coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development