Re: content and format?

On Thursday 14 December 2006 12:24, John Calcote wrote: I think we should be in position to allow reformatting of audit information on the fly early next year. I think the key to doing this as well as creating many new tools will hinge on the audit parsing library. This library has been spec'ed out and designed with higher level languages in mind. http://people.redhat.com/sgrubb/audit/audit-parse.txt The first problem that anyone runs into if they want to make tools is how to parse the events. This library will let you get past having to study all the messages to create parsing rules. The audit daemon has been created with a realtime interface so that other analytical programs can get their hands on the data in near realtime. This offers a lot of advantages over cron based techniques that read from a file. The realtime interface lets the daemon itself be simple so that it can pass a CAPP/LSPP eval and yet offer expansion capabilities. The plan to allow other formats, reactive programs, or centralized logging is to create a dispatcher that reads the output of the daemon and hands the data to programs that have subscribed to it. Right now, we have a primitive dispatcher to test the concept out with SE Linux where a program analyzes events and offers help to users if they see a pattern that would suggest a boolean needs to be changed. There is another dispatcher that is close to what I am thinking of: http://www.linuon.com/dowloads/led/ Anyways, what we can do is have a plugin that takes audit events and uses the parser library to extract the fields its needs for a message and then write it to disk or send it across the network. John, would this scheme work for you? -Steve