Karl MacMillan wrote:
James Antill wrote:
On Tue, 2007-01-30 at 09:49 -0500, Karl MacMillan wrote:
Steve Grubb wrote:
ausearch -m all --raw | grep anything you want
tail -f happens to be my favorite counter example, but I am certain
there are other useful tricks for monitoring logs that will break.
Not to mention the number of log monitoring and aggregation tools
that assume text logs.
To be fair the new audit dispatcher already has a plugin that does the
same thing as "tail -f" without needing to call stat(), and that'll be
released before auditd has binary logs ... although one could certainly
argue that it's not as obvious, it seems like a small price.
So you will have that wheel reinvented soon - that still leaves many,
many more that you have no control over.
Even with a tail replacement there has to be thousands of internally
written and maintained log monitoring and reporting apps that will
break, this is a fundamental change in how logging works on linux, not
something that can or should be changed on a whim (or otherwise).
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
