Advice on enriching logs with user and group names before moving them to a central log repository
Burn Alting
burn at swtf.dyndns.org
Thu Aug 2 10:54:14 UTC 2012
Hi,
I have a scenario of a mixed collection of Linux systems, some that have
users authenticate via a central ldap, others have local (/etc/passwd)
authentication.
This means I cannot 100% depend that the user name say, fred, with uid
1000, has the same uid on every machine he has an account on. Thus
before I send my logs to
a central server, I want to enrich them with user and group names I
validate at the local machine. That is, I want to change an event's ids
from
.... uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=43
sgid=43 fsgid=43 ....
to
.... uid=1000(fred) gid=1000(prog) euid=1000(fred)
suid=1000(fred) fsuid=1000(fred) egid=43(utmp) sgid=43(utmp)
fsgid=43(utmp) ....
I BELIEVE my best approach is use the event multiplexor (audispd) to
convert raw logs via a child program, say based on the sample code,
audisp-example (i.e. using the auparse library)
and send the output of this audisp-example variant to syslog to get
the event to a central repository.
Is this the best approach?
Are there parameters I should consider for audisp.conf (e.g. q_depth =
99999)? Does such a configuration option in audisp.conf suggest I make
the buffer size set in audit.rules to something higher?
Is there any consideration to having auditd have a option to directly
generate user and group names in addition to uid and gids?
Thanks in advance
Burn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20120802/3eca2be7/attachment.htm>
More information about the Linux-audit
mailing list