Re: Advice on enriching logs with user and group names before moving them to a central log repository

Hi, I have a scenario of a mixed collection of Linux systems, some that have users authenticate via a central ldap, others have local (/etc/passwd) authentication. This means I cannot 100% depend that the user name say, fred, with uid 1000, has the same uid on every machine he has an account on. Thus before I send my logs to a central server, I want to enrich them with user and group names I validate at the local machine. That is, I want to change an event's ids from .... uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=43 sgid=43 fsgid=43 .... to .... uid=1000(fred) gid=1000(prog) euid=1000(fred) suid=1000(fred) fsuid=1000(fred) egid=43(utmp) sgid=43(utmp) fsgid=43(utmp) .... I BELIEVE my best approach is use the event multiplexor (audispd) to convert raw logs via a child program, say based on the sample code, audisp-example (i.e. using the auparse library) and send the output of this audisp-example variant to syslog to get the event to a central repository. Is this the best approach? Are there parameters I should consider for audisp.conf (e.g. q_depth = 99999)? Does such a configuration option in audisp.conf suggest I make the buffer size set in audit.rules to something higher? Is there any consideration to having auditd have a option to directly generate user and group names in addition to uid and gids?