On Mon, 2007-07-02 at 22:02 +0100, Matthew Booth wrote: > On Mon, 2007-07-02 at 16:43 -0400, John Dennis wrote: > > The audit parsing library (auparse) can reassemble independent > > records into a single event (but currently only if the records occur > > sequentially, non-sequential record assembly is a future feature). > > I'm evaluating a third party product (RSA's enVision) for handling large > volumes of audit data from large numbers of hosts. I'm delivering audit > records to it from a custom auditd which does little other than wrap the > records it receives as syslog and sending it in a UDP packet to the > collector. This is for performance reasons as we're generating a lot of > audit data. Post-processing with auparse would require either doing this > inline, on-node, which I don't think would be feasible because of > performance, or running it on the enVision appliance, which definitely > isn't feasible as it runs Windows ;) enVision can plug things back > together, but again it's limited in what it can do in-line for > performance reasons. It would be easiest all-round if we got the > information pre-digested.
A few quick points: enVision can only reassemble records into event if you are transmitting the record header information, are you? If so and enVision can properly interpret the header and coalesce matching headers you're all set. There is a lot of planned work surrounding aggregate auditing from multiple hosts, perhaps not relevant to the current evaluation of enVision, but be aware this technology area is in high churn. For example the current audit system now allows for interested third parties to monitor audit information, no need for custom audit daemons, there is a well defined framework for monitoring. -- John Dennis <[EMAIL PROTECTED]> -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
