----- Original Message ----- > 2) Write an audispd plugin that used the sd-journal API to store > audit events in the journal. > > 3) Add sd-journal as a log format to auditd.
Both of these will run into the problem recently discussed on this mailing list: the available methods to parse an audit records into fields are a bit imprecise/"lossy" because not all records keep the name=value format as expected. This can be OK if auparse is able to extract all the data you need/expect to process. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit