Auditing network traffic
Steve Grubb
sgrubb at redhat.com
Thu Jan 21 22:09:38 UTC 2016
On Thursday, January 21, 2016 10:49:37 PM Lev Stipakov wrote:
> Sorry, I probably was not clear here. I am able to catch packets by
> adding iptables rules like ones you've mentioned and process events
> (with record type AUDIT_NETFILTER_PKT) by code inside my plugin.
>
> The problem is, I would prefer them not to be written to logfiles. My
> business logic does not require that (everything is handled by plugin
> code), and I noticed that logs are rotated quite fast (I capture all
> incoming/outgoing packets). So, is there any way to disable logging and
> make audit deliver those events to plugin only?
In /etc/audit/auditd.conf make log_firmat like this:
log_format = NOLOG
and auditd will not log anything to disk.
-Steve
More information about the Linux-audit
mailing list