New draft standards
Burn Alting
burn at swtf.dyndns.org
Wed Dec 23 22:44:00 UTC 2015
On Fri, 2015-12-18 at 16:12 +1100, Burn Alting wrote:
> On Tue, 2015-12-15 at 08:46 -0500, Steve Grubb wrote:
> > On Tuesday, December 15, 2015 09:12:54 AM Burn Alting wrote:
> > > I use a proprietary ELK-like system based on ausearch's -i option. I would
> > > like to see some variant outputs from ausearch that "packages" events into
> > > parse-friendly formats (json, xml) that also incorporates the local
> > > transformations Steve proposes. I believe this would be the most generic
> > > solution to support centralised log management.
> > >
> > > I am travelling now, but can write up a specification for review next week.
> >
> > Yes, please do send something to the mail list for people to look at and
> > comment on.
> >
> All,
>
> To reiterate, my need is to generate easy to parse events over which
> local interpretation has been applied, retaining raw input to the some
> of the interpretations if required. I want to then transmit the complete
> interpreted event to my central event repository.
>
> My proposal is that ausearch gains the following 'interpreted output'
> options
>
> --Xo plain|json|xml
> generate plain (cf --interpret), xml or json formatted events
>
> --Xr key_a'+'key_b'+'key_c
> include raw value for given keys using the the new key
> __r_key_a, __r_key_b, etc. The special key __all__ is
> interpreted to retain the complete raw record. If the raw value
> has no interpreted value, then we will end up with two keys with
> the same value.
>
> I have attached the XSD from which the XML and JSON formats could be
> defined.
>
Is there any interest in this? If is was available, would people make
use of it?
If so I can modify ausearch and generate a proposed patch over the
Christmas break.
Regards
Burn
More information about the Linux-audit
mailing list