Re: New draft standards

On Tue, 2015-12-15 at 08:46 -0500, Steve Grubb wrote: > On Tuesday, December 15, 2015 09:12:54 AM Burn Alting wrote: > > I use a proprietary ELK-like system based on ausearch's -i option. I would > > like to see some variant outputs from ausearch that "packages" events into > > parse-friendly formats (json, xml) that also incorporates the local > > transformations Steve proposes. I believe this would be the most generic > > solution to support centralised log management. > > > > I am travelling now, but can write up a specification for review next week. > > Yes, please do send something to the mail list for people to look at and > comment on. > All, To reiterate, my need is to generate easy to parse events over which local interpretation has been applied, retaining raw input to the some of the interpretations if required. I want to then transmit the complete interpreted event to my central event repository. My proposal is that ausearch gains the following 'interpreted output' options --Xo plain|json|xml generate plain (cf --interpret), xml or json formatted events --Xr key_a'+'key_b'+'key_c include raw value for given keys using the the new key __r_key_a, __r_key_b, etc. The special key __all__ is interpreted to retain the complete raw record. If the raw value has no interpreted value, then we will end up with two keys with the same value. I have attached the XSD from which the XML and JSON formats could be defined.