Hi, I was wondering if there had already been an effort or solution to consolidate msgs from auditd into a single line. I'm talking about buffering the messages until EOE (or timing out/empty buffer if EOE doesn't come on errors), and concatenating messages with the same ID into a single message. Potentially also transforming the message syntax while at it.
I'm asking because some loggers will only accept specific message formats. I looked at the plugins, but, from what I gather, the kernel sends the messages as raw strings and I'm not sure of the performance/memory impact when auditd cranks out a lot of messages. An alternative could be to send all the msgs as text to a remote auditd host using audispd-remote, and processing the log file on that host. It means even more messages to process however and I'm not sure the text file interface will be fast enough/might have too much disk activity and break often, etc. if auditd again, cranks out a lot of messages from many hosts (like several thousand per second). Any insight? -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
