On Wednesday, October 26, 2011 03:12:44 PM [email protected] wrote: > I want to send my auditd messages to our local log collector via > syslog-ng, what is the recommended why of doing this?
If the auditd daemon never starts up, the events go to syslog by default. All you need to do is come up with a way for the rules to get loaded. If that is not good, there is a syslog plugin for audispd that will send events to syslog. You can also configure auditd not to write to disk. > Can I enter syslog-ng as the dispatcher No. It wouldn't know how to interpret the data stream. > Does anyone know if Redhat or anyone else offers training for auditd or can > you > recommend any books that might help? I just posted a set of slides from a recent speech here: http://people.redhat.com/sgrubb/audit/audit_ids_2011.pdf It gives a good review of how it works. Also, the CAPP/LSPP cert rpms have some admin guidance on the audit system as does the security target that went with the certs. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
