Re: Absolute path names in PATH records
On Mon, 2007-07-02 at 22:02 +0100, Matthew Booth wrote:
On Mon, 2007-07-02 at 16:43 -0400, John Dennis wrote:
> The audit parsing library (auparse) can reassemble independent
> records into a single event (but currently only if the records occur
> sequentially, non-sequential record assembly is a future feature).
I'm evaluating a third party product (RSA's enVision) for handling large
volumes of audit data from large numbers of hosts. I'm delivering audit
records to it from a custom auditd which does little other than wrap the
records it receives as syslog and sending it in a UDP packet to the
collector. This is for performance reasons as we're generating a lot of
audit data. Post-processing with auparse would require either doing this
inline, on-node, which I don't think would be feasible because of
performance, or running it on the enVision appliance, which definitely
isn't feasible as it runs Windows ;) enVision can plug things back
together, but again it's limited in what it can do in-line for
performance reasons. It would be easiest all-round if we got the
information pre-digested.
A few quick points:
enVision can only reassemble records into event if you are transmitting
the record header information, are you? If so and enVision can properly
interpret the header and coalesce matching headers you're all set.
There is a lot of planned work surrounding aggregate auditing from
multiple hosts, perhaps not relevant to the current evaluation of
enVision, but be aware this technology area is in high churn.
For example the current audit system now allows for interested third
parties to monitor audit information, no need for custom audit daemons,
there is a well defined framework for monitoring.
--
John Dennis <jdennis(a)redhat.com>