Re: Auditing network traffic
On 21.01.2016 18:50, Steve Grubb wrote:
I'd say it would be better because you don't have to do
nearly as much work.
The kernel takes care of all the heavy lifting and you just filter on
NETFILTER_PKT events.
Good to know, thanks!
There are plenty of examples of how to do logging of netfilter
events. You can
just copy the examples and substitute AUDIT as the target (but you have to add
a --type argument after it). A couple examples I found after a quick search:
Sorry, I probably was not clear here. I am able to catch packets by
adding iptables rules like ones you've mentioned and process events
(with record type AUDIT_NETFILTER_PKT) by code inside my plugin.
The problem is, I would prefer them not to be written to logfiles. My
business logic does not require that (everything is handled by plugin
code), and I noticed that logs are rotated quite fast (I capture all
incoming/outgoing packets). So, is there any way to disable logging and
make audit deliver those events to plugin only?
-Lev