capturing audit data with ausearch -i
Steve Grubb
sgrubb at redhat.com
Wed Dec 11 12:58:17 UTC 2013
Hello,
On Tuesday, December 10, 2013 10:17:26 PM Levy, Mark wrote:
> Were trying to find a way to capture the linux audit data and then pass it
> thru to ausearch -I and then send the data to our SEIM product for
> ingestion. Does the audispd allow the ausearch -I to be used as an arg?
No. It has just one job, distribute events to all plugins as fast as possible
to prevent overflow in the queue from auditd.
> What would be the best way to attempt this?
Its really easy to write a audispd plugin to format data exactly how you want
it. Have you looked at the sample code?
https://fedorahosted.org/audit/browser/trunk/contrib/plugin/audisp-example.c
-Steve
More information about the Linux-audit
mailing list