Re: Introducing audit-explorer

Hello, On Tuesday, June 20, 2017 12:28:16 PM EDT Vincas Dargis wrote: Thanks. I am working my way around to this. For one, its hard to imagine all the reports that might be of interest without overwhelming the report. If we could define a small list of what is expected or useful, then we can work towards this. The aureport tool is good at doing summary reports. It's about 12 years old. There are newer technologies that might be better to use. For example, how would people like to see reporting in a Jupyter notebook? If you don't know what a Jupyter notebook is, then take a few minutes and google it. Or take a look here: https://github.com/jupyter/jupyter/wiki/A-gallery-of-interesting-Jupyter-... Yes. Another way forward might be to use the CSV extraction options in ausearch and send that into a SQL database. Then any SQL reporting tool out there can be used. I'm going to be starting the 2.8 development cycle in the near future. The goal for it is to get the remote logging better and continue improving the auparse_normalizer API. This will directly lead to more and better reporting options. Things that may be possible: push events in realtime to datalake such as kafka push events in realtime to SQL database demux events out of rsyslog and push into audit aggregation server enhance collectors for various SIEMs Of course to do any of this means I need participation and collaboration from the community. I can't guess what people need to hook up the audit trail to reporting tools. -Steve