RE: Remote logging with autitd
Hi Steve,
Many thanks for your response. I made an attempt to modify the code in order to make it
aggregate events.
I am not quite happy with the way the changes ended up looking, nor with how the resulting
log file looked.
I do plan to have another go at this in the future, but for now I'm going to move on
by using a different set up,
where the plugin will run locally and I am gonna send the parsed data to a remote machine
for storage.
I have some questions for that as well, but I will post those in a new thread.
Cheers,
Wouter
----------------------------------------
From: sgrubb(a)redhat.com
To: woutervanverre(a)outlook.com
CC: linux-audit(a)redhat.com
Subject: Re: Remote logging with autitd
Date: Thu, 13 Nov 2014 21:44:53 -0500
On Thursday, November 13, 2014 11:23:59 PM Wouter van Verre wrote:
> However, in my plugin I only seems to receive data from the central (i.e.
> local) server...
The feed to audispd, right now, is before receiving remote events. Meaning
that audispd only sees local events and never aggregate events...as things are
now.
> I draw this conclusion both because I see only one node name, and also
> because I generate TTY events on the client server only (and they show in
> /var/log/audit/audit.log as expected), and these do not show in the output
> from my plugin. Is this the expected behaviour?
Today, yes.
> Are plugins only supposed to receive the locally generated audit events? If
> it is, is there a way to forward the remotely generated data to a plugin on
> the central server?
Yes, and it would take some changes to the listening code to insert the events
at the right point in the event loop.
-Steve