New draft standards

[Burn Alting]

On Fri, 2015-12-18 at 16:12 +1100, Burn Alting wrote:
> On Tue, 2015-12-15 at 08:46 -0500, Steve Grubb wrote:
> > On Tuesday, December 15, 2015 09:12:54 AM Burn Alting wrote:
> > > I use a proprietary ELK-like system based on ausearch's -i option. I would
> > > like to see some variant outputs from ausearch that "packages" events into
> > > parse-friendly formats (json, xml) that also incorporates the local
> > > transformations Steve proposes. I believe this would be the most generic
> > > solution to support centralised log management.
> > > 
> > > I am travelling now, but can write up a specification for review next week.
> > 
> > Yes, please do send something to the mail list for people to look at and 
> > comment on.
> > 
> All,
> 
> To reiterate, my need is to generate easy to parse events over which
> local interpretation has been applied, retaining raw input to the some
> of the interpretations if required. I want to then transmit the complete
> interpreted event to my central event repository.
> 
> My proposal is that ausearch gains the following 'interpreted output'
> options 
> 
>         --Xo plain|json|xml
>         generate plain (cf --interpret), xml or json formatted events
>         
>         --Xr key_a'+'key_b'+'key_c
>         include raw value for given keys using the the new key
>         __r_key_a, __r_key_b, etc. The special key __all__ is
>         interpreted to retain the complete raw record. If the raw value
>         has no interpreted value, then we will end up with two keys with
>         the same value.
> 
> I have attached the XSD from which the XML and JSON formats could be
> defined.
> 

Is there any interest in this? If is was available, would people make
use of it? 

If so I can modify ausearch and generate a proposed patch over the
Christmas break.

Regards
Burn