Steve,

I will go ahead with my audispd child program that enriches logs and use rsyslog to get them to a central repository.
I also plan to concatenate all messages belonging to the same event (ie time:event_id) and send this as one syslog message to the central repository.
I'd rather do this on the client systems rather than at my central repository, in order to gain benefits from effectively, distributed processing.

I have some concerns though:
    - Does the concatenation of messages belonging to one event, outside of bad code on my part, have some non-obvious risks (from those of you who have done this?)
    - I intend that my code will have as small an overhead as I can, but do I risk issues such as overruns of the audispd queue?
    - Do messages from different events ever get intermixed in the output via audispd? And hence I need to cater for multiple simultaneous events streaming in?


I will contribute my code to this list for what's it worth once I've completed it ... perhaps it can be added to the contrib/plugin tree given it passes this list's peer review.

Guillaume,

One element of my central repository will take these 'enriched logs' and map them into CEF also, so I'd be interested in any mappings you are making.

Thanks in advance.
Burn

On Mon, 2012-08-06 at 13:51 -0400, Steve Grubb wrote:
On Thursday, August 02, 2012 09:54:46 AM John Dennis wrote:
> There were plans to author a audit plugin that would augment the data 
> items with their (interpreted) value. I'm not sure whatever happened to 
> that plugin. Steve, can you elaborate?

This is a problem and I think about it every now and then. But there are 
bigger problems first.

-Steve