Thoughts on adding sd-journal as a log_format to auditd
Miloslav Trmac
mitr at redhat.com
Fri Mar 15 15:22:50 UTC 2013
----- Original Message -----
> 2) Write an audispd plugin that used the sd-journal API to store
> audit events in the journal.
>
> 3) Add sd-journal as a log format to auditd.
Both of these will run into the problem recently discussed on this mailing list: the available methods to parse an audit records into fields are a bit imprecise/"lossy" because not all records keep the name=value format as expected.
This can be OK if auparse is able to extract all the data you need/expect to process.
Mirek
More information about the Linux-audit
mailing list