Advice on enriching logs with user and group names before moving them to a central log repository
John Dennis
jdennis at redhat.com
Thu Aug 2 13:54:46 UTC 2012
On 08/02/2012 06:54 AM, Burn Alting wrote:
> Hi,
>
> I have a scenario of a mixed collection of Linux systems, some that have
> users authenticate via a central ldap, others have local (/etc/passwd)
> authentication.
> This means I cannot 100% depend that the user name say, fred, with uid
> 1000, has the same uid on every machine he has an account on. Thus
> before I send my logs to
> a central server, I want to enrich them with user and group names I
> validate at the local machine. That is, I want to change an event's ids from
>
> .... uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=43
> sgid=43 fsgid=43 ....
>
> to
>
> .... uid=1000(fred) gid=1000(prog) euid=1000(fred) suid=1000(fred)
> fsuid=1000(fred) egid=43(utmp) sgid=43(utmp) fsgid=43(utmp) ....
>
>
> I BELIEVE my best approach is use the event multiplexor (audispd) to
> convert raw logs via a child program, say based on the sample code,
> audisp-example (i.e. using the auparse library)
> and send the output of this audisp-example variant to syslog to get
> the event to a central repository.
>
> Is this the best approach?
>
> Are there parameters I should consider for audisp.conf (e.g. q_depth =
> 99999)? Does such a configuration option in audisp.conf suggest I make
> the buffer size set in audit.rules to something higher?
>
> Is there any consideration to having auditd have a option to directly
> generate user and group names in addition to uid and gids?
A while ago we were actively working on central log aggregation and ran
into exactly this problem. There are a number of items in an audit log
whose value can only be interpreted on the machine the event occurred on
and at the moment the event occurs (or within a short duration).
There were plans to author a audit plugin that would augment the data
items with their (interpreted) value. I'm not sure whatever happened to
that plugin. Steve, can you elaborate?
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Linux-audit
mailing list