Just a thought from someone who is following this list closely b/c I'm tasked with setting up a multi-host system auditing capability - one thing Steve G. mentioned was:
> > > it both decodes AND performs contextual substitution. Contextual > > substitution only has meaning when applied on the same host and at > > approximately the same time as when the audit record was generated. > > Correct. You are talking about something the library does not handle > today. The reason is because there is no designed method to aggregate > logs. So, when that work is done, auparse will be fixed up to handle > the situation. I have been thinking about how to solve this also; I bet I'm not alone. So if/when changes are made I'd be grateful if it is included. I'll be willing to participate as required. LCB. ps: Steve the prelude plugins are excellent! -- LC (Lenny) Bruzenak [EMAIL PROTECTED] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
