Hello,
In the midst of discussing sending audit logs from a Red Hat CoreOS node to some central audit collection and evaluation tool, the question came up about using audispd instead of Daemonsets. Daemonsets are what is planned for OpenShift. As I understand it, the general principle is to allow auditing to flow through the subsystem, but does it need to flow through the entire auditing workflow? Can a Daemonset be used instead of audispd, or are there reasons audispd should be used over a Daemonset that some of us just aren't aware of?
Thanks,