Re: Audit Parsing Library Requirements
On Monday 13 March 2006 17:51, Kevin Carr wrote:
Another item that came up here at Tresys is the ability to do log
monitoring.
As an aside...this is not the recommended thing to do since every access of
the audit logs are an auditable event. If you have to do real-time
monitoring, I would suggest using the audit event dispatcher interface. That
gets all audit events in realtime. The parsing specs we are defining right
now also take a buffer as an input source so that they can be used to examine
events passed via the event dispatcher.
After our initial parse/search routine, we would like to be able to
check
every so often to see if new messages have been generated and then display
the messages if they match our search criteria.
This sounds like a 100% fit for the audit event interface.
-Steve