Philippe,
On Fri, 2020-02-07 at 08:13 +0000, MAUPERTUIS, PHILIPPE wrote:
> On Friday, December 20, 2019 8:33:11 AM EST MAUPERTUIS, PHILIPPE
wrote:
> > We are centralizing the audit logs with rsyslog.The SIEM behind the central
> > log server is unable to process the raw logs.We would like to push the
> > ausearch result in CSV format in real time ornear real time. Is there a way
> > to have ausearch working from a pipe andand waiting when no logs are received
>
> I think that I've seen others who setup a cron job and use the
> checkpointingfeature so that they do not miss anything. You can pipe its output
> intologger. You probably also want to cut the first line which has the
> columnheaders.
> ausearch --start today --checkpoint /root/last-ausearch .chpt --format csv |tail
> -n +2 | logger
On a central log server the input file can grow very big and very fast.Probably
logrotate is needed to keep it in check.What happen to the checkpointing feature
when the file is rotated ?How not to miss the last events from the old file and
get the new events from the new file ?
The above performs a checkpoint on the local machine and then sends it's output to
the local syslog service via the logger program. Ausearchis independent of the
syslog service. The checkpoint function of ausearch takes into account the audit.log
log file roll-over feature built into auditd so,providing your auditd log file
rotation is set appropriately, checkpoint works no matter how many audit.log files
are in the audit log directory.For information, a 9 file 32MB per log file
configuration works well for a very heavy processing host where exec's are logged.
Further, if the generation of logsis such that the checkpoint does miss logs, then
the checkpoint documentation shows one how to address this. If this is noted, then
include the size of or numberof local log files.
> Also, the latest syslog plugin can now do interpretation. I
think its inalpha-9
> which dates back to Nov 04, 2019.
> It really shouldn't be hard to copy and paste the code from ausearch into
> thesyslog plugin to log directly in that format. I wonder if anyone else
> wouldfind that useful?
--Linux-audit mailing listLinux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit