Offline audit trail analysis

Thanks to Steve for being our biggest target for questions on this list! Has anyone talked about sane ways to do offline analysis of Linux audit logs? Presumably, this would be on another Linux system, but maybe not the same host, and probably not on the same release or with the same username/IP address access. Conceptually, ausearch would save and optionally read a system's "configuration" to be saved for interpretation later. My goal is central logging, but doing the reporting/analysis on the central host. That way, I can see a user across the Enterprise (or at least in the Linux hosts), but with all the power of ausearch for refining the report. Ideally, I would do an ausearch -ts <date> -te <date> --raw --config-to=<hostname.ausearch.config> and it would do things like saving the syscall lookup table, lookup users referenced in the reported audit trail, and resolve IP addresses references in the reported audit trail. Maybe one config file could be written for each data type in an existing format (e.g. users in /etc/passwd format, hosts in /etc/hosts format, etc.). I'm mainly after whether or not anyone has considered extending ausearch for this kind of processing? This way, an archive of raw logs could be kept along with the exact system configuration which allows offloading the audit trail analysis to a trusted location, rather than risk side effects from a rootkit. Charlie Todd Ball Aerospace & Technologies Corp. This message and any enclosures are intended only for the addressee. Please notify the sender by email if you are not the intended recipient. If you are not the intended recipient, you may not use, copy, disclose, or distribute this message or its contents or enclosures to any other person and any such actions may be unlawful. Ball reserves the right to monitor and review all messages and enclosures sent to or from this email address.