On Friday, April 10, 2020 4:39:37 PM EDT Gabriel Alford wrote: I'd say that if you ask 10 people on this list, you may find 10 different ways they are doing it. It really depends on your requirements. Some places care that you don't mix security officer and system admin roles. (Security Officer may have a system admin under investigation.) In that case, you have to keep the logs separate and this is likely to a MLS system. Other, less demanding sites, don't care because they are one in the same. They send audit logs into syslog and then pick it apart later. And then there are some tools that have their own audisp plugin and transport the logs themselves. Entirely up to the system architect and their security requirements. -Steve