Re: capturing audit data with ausearch -i
Hello,
On Tuesday, December 10, 2013 10:17:26 PM Levy, Mark wrote:
Were trying to find a way to capture the linux audit data and then
pass it
thru to ausearch -I and then send the data to our SEIM product for
ingestion. Does the audispd allow the ausearch -I to be used as an arg?
No. It has just one job, distribute events to all plugins as fast as possible
to prevent overflow in the queue from auditd.
What would be the best way to attempt this?
Its really easy to write a audispd plugin to format data exactly how you want
it. Have you looked at the sample code?
https://fedorahosted.org/audit/browser/trunk/contrib/plugin/audisp-example.c
-Steve