2:34 a.m.
The splunk app seems very promising.
Is there a way to use it when audit records are sent to a central syslog server before
feeding Splunk.
For now, the auditd record are prefixed by syslog information when received by Splunk.
Regards
Philippe
-----Message d'origine-----
De : linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] De la part de
linux-audit-request(a)redhat.com
Envoyé : jeudi 31 mars 2016 18:00
À : linux-audit(a)redhat.com
Objet : Linux-audit Digest, Vol 138, Issue 9
Send Linux-audit mailing list submissions to
linux-audit(a)redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/linux-audit
or, via email, send a message with subject or body 'help' to
linux-audit-request(a)redhat.com
You can reach the person managing the list at
linux-audit-owner(a)redhat.com
When replying, please edit your Subject line so it is more specific than "Re:
Contents of Linux-audit digest..."
Today's Topics:
1. Linux Auditd app for Splunk (Douglas Brown)
2. Re: auditd reports port number '0' for connect() system call
(Steve Grubb)
3. Re: Linux Auditd app for Splunk (Steve Grubb)
4. Re: Linux Auditd app for Splunk (F Rafi)
5. Re: Linux Auditd app for Splunk (Douglas Brown)
6. Re: auditd reports port number '0' for connect() system call
(Kangkook Jee)
7. Re: auditd reports port number '0' for connect() system call
(Kangkook Jee)
8. [PATCH] audit: cleanup prune_tree_thread (Jiri Slaby)
----------------------------------------------------------------------
Message: 1
Date: Wed, 30 Mar 2016 22:34:39 +0000
From: Douglas Brown <doug.brown(a)qut.edu.au>
To: "linux-audit(a)redhat.com" <linux-audit(a)redhat.com>
Subject: Linux Auditd app for Splunk
Message-ID: <64E84EA2-7954-4B57-857C-DD3B1009A0CB(a)qut.edu.au>
Content-Type: text/plain; charset="utf-8"
Hi all,
This week I released version 2 of the Linux Auditd app for Splunk:
https://splunkbase.splunk.com/app/2642/
Be sure to let me know if you have any suggestions for improvements.
Cheers,
Doug
3:09 a.m.
New subject: Linux Auditd app for Splunk
On 1 Apr 2016, at 5:37 PM, Maupertuis Philippe
<philippe.maupertuis(a)worldline.com> wrote:
The splunk app seems very promising.
Is there a way to use it when audit records are sent to a central syslog server before
feeding Splunk.
For now, the auditd record are prefixed by syslog information when received by Splunk.
Yep, make a 'local' directory in the TA app; copy the TA's default props.conf
to the local directory; uncomment the block at the top of the file, then install the TA on
the heavy forwarders/indexers that cook your syslogged audit events.
Cheers,
Doug
> -----Message d'origine-----
> De : linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] De la
part de linux-audit-request(a)redhat.com
> Envoyé : jeudi 31 mars 2016 18:00
> À : linux-audit(a)redhat.com
> Objet : Linux-audit Digest, Vol 138, Issue 9
>
> Send Linux-audit mailing list submissions to
> linux-audit(a)redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/linux-audit
> or, via email, send a message with subject or body 'help' to
> linux-audit-request(a)redhat.com
>
> You can reach the person managing the list at
> linux-audit-owner(a)redhat.com
>
> When replying, please edit your Subject line so it is more specific than "Re:
Contents of Linux-audit digest..."
>
>
> Today's Topics:
>
> 1. Linux Auditd app for Splunk (Douglas Brown)
> 2. Re: auditd reports port number '0' for connect() system call
> (Steve Grubb)
> 3. Re: Linux Auditd app for Splunk (Steve Grubb)
> 4. Re: Linux Auditd app for Splunk (F Rafi)
> 5. Re: Linux Auditd app for Splunk (Douglas Brown)
> 6. Re: auditd reports port number '0' for connect() system call
> (Kangkook Jee)
> 7. Re: auditd reports port number '0' for connect() system call
> (Kangkook Jee)
> 8. [PATCH] audit: cleanup prune_tree_thread (Jiri Slaby)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 30 Mar 2016 22:34:39 +0000
> From: Douglas Brown <doug.brown(a)qut.edu.au>
> To: "linux-audit(a)redhat.com" <linux-audit(a)redhat.com>
> Subject: Linux Auditd app for Splunk
> Message-ID: <64E84EA2-7954-4B57-857C-DD3B1009A0CB(a)qut.edu.au>
> Content-Type: text/plain; charset="utf-8"
>
> Hi all,
>
> This week I released version 2 of the Linux Auditd app for Splunk:
https://splunkbase.splunk.com/app/2642/
>
> Be sure to let me know if you have any suggestions for improvements.
>
> Cheers,
> Doug
>
3186
days inactive
3186
days old
linux-audit@lists.linux-audit.osci.io
1 comments
2 participants
participants (2)
-
Douglas Brown -
Maupertuis Philippe