Streaming auditd information to syslog

Bailey, Edward ebailey at transunion.com
Wed Jan 10 20:29:49 UTC 2007 

 I see what you mean but from what past experience the "actions" class
is just a way to force auditd to do something like clean its files up or
alert when something particular occurs then send a message to syslog. I
don't see a way to use the "actions" class to send all audit information
to a syslog server. I think I will give logger a try and see just how
expensive the process turns out to be.

Thanks

Ed 

> -----Original Message-----
> From: redhat-list-bounces at redhat.com 
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Serge Dubrouski
> Sent: Wednesday, January 10, 2007 3:15 PM
> To: General Red Hat Linux discussion list
> Subject: Re: Streaming auditd information to syslog
> 
> Per description of streaming mode logger sounds like a right 
> tool. But I'm totally agree with you it would be too expensive:
> 
> Streaming Mode
>        Streaming mode is pretty much like file mode, except 
> that data is  sent
>        to  an external command on standard input. This allows 
> forwarding audit
>        data to other hosts via arbitrary mechanisms 
> (including  stunnel,  ssh,
>        etc).
> 
> But it looks like there is another way to achieve kind of the 
> same result by configuring actions:
> 
> Actions:
> 
> Actions to be performed in response to an output error, or a 
> disk usage problem, can be defined as follows:
> 
> action name {
>         type = ...;
>         data...
> };
> 
> The value of type specifies what sort of action to perform; 
> data contains additional information for the particular type 
> of action.
> 
> ....
> 
> syslog
>     will log a message to the system log, using the log 
> facility and priority specified by the facility and priority variable.
> 
> 
> On 1/10/07, Bailey, Edward <ebailey at transunion.com> wrote:
> >  I thought about that. Auditd is a high volume tool - 
> calling logger 
> > for every message seems awfully expensive resource wise.
> >
> > > -----Original Message-----
> > > From: redhat-list-bounces at redhat.com 
> > > [mailto:redhat-list-bounces at redhat.com] On Behalf Of 
> Serge Dubrouski
> > > Sent: Wednesday, January 10, 2007 3:01 PM
> > > To: General Red Hat Linux discussion list
> > > Subject: Re: Streaming auditd information to syslog
> > >
> > > It looks like it can be a simple script calling logger tool.
> > >
> > > man logger.
> > >
> > > On 1/10/07, Bailey, Edward <ebailey at transunion.com> wrote:
> > > > Hello
> > > >
> > > > I am looking into streaming auditd information to a 
> central syslog 
> > > > server. I see a place in the audit.conf config file to 
> make this 
> > > > happen, but I can can't get it to work and I am hoping
> > > someone else knows how.
> > > >
> > > > In audit.conf
> > > >
> > > > # Alternative output
> > > > output {
> > > >        mode            = stream;
> > > >        command         = "/usr/local/sbin/send_to_syslog"
> > > > };
> > > >
> > > > This seems to be where output is directed to syslog, 
> but what is 
> > > > "/usr/local/sbin/send_to_syslog"?
> > > >
> > > > Does anyone know? I can't find an answer.
> > > >
> > > > Thanks
> > > >
> > > > Ed
> > > > ------------------------
> > > > CONFIDENTIALITY NOTICE
> > > > This e-mail and any attachments contain information which
> > > may be confidential or privileged and exempt from 
> disclosure under 
> > > applicable law.  If you are not the intended recipient, be aware 
> > > that any disclosure, copying, distribution, or use of the 
> contents 
> > > of this information is without authorization and is 
> prohibited.  If 
> > > you have received this email in error, please immediately 
> notify us 
> > > by returning it to the sender and delete this copy from your 
> > > computer system.  Thank you.
> > > > ------------------------
> > > >
> > > > --
> > > > redhat-list mailing list
> > > > unsubscribe
> > > mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > >
> > >
> > > --
> > > redhat-list mailing list
> > > unsubscribe 
> > > mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > > https://www.redhat.com/mailman/listinfo/redhat-list
> > >
> > >
> > >
> > ------------------------
> > CONFIDENTIALITY NOTICE
> > This e-mail and any attachments contain information which 
> may be confidential or privileged and exempt from disclosure 
> under applicable law.  If you are not the intended recipient, 
> be aware that any disclosure, copying, distribution, or use 
> of the contents of this information is without authorization 
> and is prohibited.  If you have received this email in error, 
> please immediately notify us by returning it to the sender 
> and delete this copy from your computer system.  Thank you.
> > ------------------------
> >
> > --
> > redhat-list mailing list
> > unsubscribe 
> mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> 
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> 
> 
------------------------
CONFIDENTIALITY NOTICE
This e-mail and any attachments contain information which may be confidential or privileged and exempt from disclosure under applicable law.  If you are not the intended recipient, be aware that any disclosure, copying, distribution, or use of the contents of this information is without authorization and is prohibited.  If you have received this email in error, please immediately notify us by returning it to the sender and delete this copy from your computer system.  Thank you.
------------------------

More information about the redhat-list mailing list