Advice on enriching logs with user and group names before moving them to a central log repository

[Burn Alting]

Steve,

I will go ahead with my audispd child program that enriches logs and use
rsyslog to get them to a central repository.
I also plan to concatenate all messages belonging to the same event (ie
time:event_id) and send this as one syslog message to the central
repository.
I'd rather do this on the client systems rather than at my central
repository, in order to gain benefits from effectively, distributed
processing.

I have some concerns though:
    - Does the concatenation of messages belonging to one event, outside
of bad code on my part, have some non-obvious risks (from those of you
who have done this?)
    - I intend that my code will have as small an overhead as I can, but
do I risk issues such as overruns of the audispd queue?
    - Do messages from different events ever get intermixed in the
output via audispd? And hence I need to cater for multiple simultaneous
events streaming in?


I will contribute my code to this list for what's it worth once I've
completed it ... perhaps it can be added to the contrib/plugin tree
given it passes this list's peer review.

Guillaume, 

One element of my central repository will take these 'enriched logs' and
map them into CEF also, so I'd be interested in any mappings you are
making.

Thanks in advance.
Burn

 On Mon, 2012-08-06 at 13:51 -0400, Steve Grubb wrote:

> On Thursday, August 02, 2012 09:54:46 AM John Dennis wrote:
> > There were plans to author a audit plugin that would augment the data 
> > items with their (interpreted) value. I'm not sure whatever happened to 
> > that plugin. Steve, can you elaborate?
> 
> This is a problem and I think about it every now and then. But there are 
> bigger problems first.
> 
> -Steve


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20120810/dabfa2cb/attachment.htm>