audisp-remote and audisp-prelude question
LC Bruzenak
lenny at magitekltd.com
Tue Mar 24 18:01:39 UTC 2009
On Tue, 2009-03-24 at 13:06 -0400, Steve Grubb wrote:
> On Tuesday 24 March 2009 12:29:48 LC Bruzenak wrote:
> > On the prewikka screen I only see the second event.
>
> prelude is its own protocol and picks out certain data from its config files and
> puts in its packets. The intended use is each machine sends its prelude alerts
not MY intended use...
:)
> to a common prelude manager. Each audit event is sent to its aggregator. The
> two systems diverge at audispd.
>
> kernel->auditd->audispd-+->audisp-prelude->prelude-manager
> +->audisp-remote->auditd
>
> -Steve
Steve; thanks.
I may not follow. Does the above preclude what I'm asking?
Asked another way, what stops the aggregated audit events from creating
a prelude event?
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list