I use a proprietary ELK-like system based on ausearch's -i option. I would like to see some variant outputs from ausearch that "packages" events into parse-friendly formats (json, xml) that also incorporates the local transformations Steve proposes. I believe this would be the most generic solution to support centralised log management.
I am travelling now, but can write up a specification for review next week. Burn Alting On 15 Dec 2015 4:13 am, <[email protected]> wrote: > > ELK > Splunk > > We use a proprietary vendor product that migrates data into an HDFS store via RabbitMQ based collectors and dumps them in raw form. From there I have access to all the usual "big data" tools albeit I'm not using Flume just yet, we're still trying to get a handle on operationalizing all the various big data component so that data science developers can focus on development instead of operations and support of the hardware/software ecosystem. > > Kevin D Dienst > > > > > From: Joe Wulf <[email protected]> > To: "[email protected]" <[email protected]> > Date: 12/14/2015 10:51 AM > Subject: Re: New draft standards > Sent by: [email protected] > ________________________________ > > > > Steve, > > The last place I was at heavily used Splunk and then transitioned to dual-routing a substantial portion of the logs from across the infrastructure to ELK, as well. > > -Joe > > ________________________________ > From: Steve Grubb <[email protected]> > To: F Rafi <[email protected]>; "[email protected]" < [email protected]> > Sent: Monday, December 14, 2015 10:34 AM > Subject: Re: New draft standards > > But I guess this gives me an opportunity to ask the community what tools they > are using for audit log collection and viewing? Its been a couple years since > e had this discussion on the mail list and I think some things have changed. > > Do people use ELK? > Apache Flume? > Something else? > > It might be possible to write a plugin to translate the audit logs into the > native format of these tools. > > > > -Steve > > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit > > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
