On Thu, 2008-08-14 at 17:43 -0400, DJ Delorie wrote: > Second in a series, a bit bigger than the first one. > (http://www.redhat.com/archives/linux-audit/2008-August/msg00070.html) > > The goal of this patch is to add the server side of the remote logging > feature. To this end, a new auditd-listener.c is added which listens > on a TCP port for connections from other systems' audisp-remote > plugins. A new (private) protocol is added which prepends each > message with a header, giving length, status, version, and sequence > information. Each message begets a reply from the server, so we can > pass along status like "disk full" or "ok". Currently, these call a > set of stub functions, as the details of performing appropriate > actions from the plugin are yet to be decided. > > The remote plugin has a new option "format" for "ascii" or "managed" > to choose between the old protocol (ascii strings) and the new one > (the header with ACK, default). > > The listener will accept either format. It has new options for the > listen port, accept queue size, and acceptable client-side ports. > > Comments? > > DJ
Sorry to be dense, but if it isn't too much trouble would you mind supplying an example use-case for this new capability? I went back and read the supplied link but it isn't clear to me how to take advantage of this, and I suspect it is important. What I'm getting is that in addition to kernel-generated local events the auditd would also receive signals as well as tcp-based events from other sources. Would this be the way of implementing multi-source audit aggregation or is it something different? Thx, LCB. -- LC (Lenny) Bruzenak [EMAIL PROTECTED] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
