ausearch on the fly

warron.french warron.french at gmail.com
Tue Dec 24 01:15:32 UTC 2019 

I have seen it done in exactly this manner too.  Where I work we do this.

--------------------------
Warron French



On Fri, Dec 20, 2019 at 2:26 PM MAUPERTUIS, PHILIPPE <
philippe.maupertuis at equensworldline.com> wrote:

> Thank you steve,
> I will have a look at it.
> Philippe
>
> -----Message d'origine-----
> De : Steve Grubb [mailto:sgrubb at redhat.com]
> Envoyé : vendredi 20 décembre 2019 20:24
> À : linux-audit at redhat.com
> Cc : MAUPERTUIS, PHILIPPE
> Objet : Re: ausearch on the fly
>
> On Friday, December 20, 2019 8:33:11 AM EST MAUPERTUIS, PHILIPPE wrote:
> > We are centralizing  the audit logs with rsyslog.
> > The SIEM behind the central log server is unable to process the raw logs.
> > We would like to push the ausearch  result in CSV format in real time or
> > near real time. Is there a way to have ausearch working from a pipe and
> > and waiting when no logs are received
>
> I think that I've seen others who setup a cron job and use the
> checkpointing
> feature so that they do not miss anything. You can pipe its output into
> logger. You probably also want to cut the first line which has the column
> headers.
>
> ausearch --start today --checkpoint /root/last-ausearch .chpt --format csv
> | tail -n +2 | logger
>
> Also, the latest syslog plugin can now do interpretation. I think its in
> alpha-9 which dates back to Nov 04, 2019.
>
> It really shouldn't be hard to copy and paste the code from ausearch into
> the
> syslog plugin to log directly in that format. I wonder if anyone else would
> find that useful?
>
> -Steve
>
>
> equensWorldline is a registered trade mark and trading name owned by the
> Worldline Group through its holding company.
> This e-mail and the documents attached are confidential and intended
> solely for the addressee. If you receive this e-mail in error, you are not
> authorized to copy, disclose, use or retain it. Please notify the sender
> immediately and delete this email from your systems. As emails may be
> intercepted, amended or lost, they are not secure. EquensWorldline and the
> Worldline Group therefore can accept no liability for any errors or their
> content. Although equensWorldline and the Worldline Group endeavours to
> maintain a virus-free network, we do not warrant that this transmission is
> virus-free and can accept no liability for any damages resulting from any
> virus transmitted. The risks are deemed to be accepted by everyone who
> communicates with equensWorldline and the Worldline Group by email
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20191223/6af88efb/attachment.htm>

More information about the Linux-audit mailing list