Thoughts on adding sd-journal as a log_format to auditd
Steve Grubb
sgrubb at redhat.com
Fri Mar 15 16:54:28 UTC 2013
On Friday, March 15, 2013 11:22:50 AM Miloslav Trmac wrote:
> ----- Original Message -----
>
> > 2) Write an audispd plugin that used the sd-journal API to store
> >
> > audit events in the journal.
> >
> > 3) Add sd-journal as a log format to auditd.
>
> Both of these will run into the problem recently discussed on this mailing
> list: the available methods to parse an audit records into fields are a bit
> imprecise/"lossy" because not all records keep the name=value format as
> expected.
I don't think this is a problem to worry about. A plugin is handed the whole
event line by line. To push events you don't need to parse. The real issue is
later...running reports.
I also thought there was some patch presented on this list sometime in the
last month to allow journald to listen for audit events directly.
-Steve
More information about the Linux-audit
mailing list