Centralized Logging question #2
F Rafi
farhanible at gmail.com
Fri Apr 29 20:05:32 UTC 2016
We're sysloging to a hosted search provider (somewhat like Splunk). They
don't currently support automatic auditd log parsing. However, we have
written custom scheduled alerts based on the syscalls we're logging.
I believe someone also posted a Splunk auditd app a while back.
https://splunkbase.splunk.com/app/2642/
-Farhan
On Fri, Apr 29, 2016 at 3:35 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Thursday, April 28, 2016 07:55:13 PM Warron S French wrote:
> > If I centralize audit logging through rsyslog, and I have each of the
> remote
> > machines' /etc/rsyslog.conf to use the same generic audit.log file name
> > instead of customizing the audit logs with something like;
> > HOSTNAME-audit.log, because ausearch apparently only looks for a file
> > specifically of the format audit.log...
>
> People who use rsyslog as the centralizing tool are likely to be using
> something else like splunk or other tools to do audit reporting and review.
>
>
> > Will the log-data submitted from the various hosts be consolidated into a
> > single file?
>
> Through the native audit tools, yes. Through other tools...I don't know.
> There
> are a variety of ways central logging can be done. I'm surprised no one has
> chimed in to offer an alternate.
>
>
> > Will the ausearch command then be usable with the -if argument?
>
> Once rsyslog gets the audit event, it adds its own data to the record. That
> messes up the audit tool's parsers.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160429/17c5c975/attachment.htm>
More information about the Linux-audit
mailing list