On Fri, 2015-12-18 at 16:12 +1100, Burn Alting wrote: > On Tue, 2015-12-15 at 08:46 -0500, Steve Grubb wrote: > > On Tuesday, December 15, 2015 09:12:54 AM Burn Alting wrote: > > > I use a proprietary ELK-like system based on ausearch's -i option. I would > > > like to see some variant outputs from ausearch that "packages" events into > > > parse-friendly formats (json, xml) that also incorporates the local > > > transformations Steve proposes. I believe this would be the most generic > > > solution to support centralised log management. > > > > > > I am travelling now, but can write up a specification for review next > > > week. > > > > Yes, please do send something to the mail list for people to look at and > > comment on. > > > All, > > To reiterate, my need is to generate easy to parse events over which > local interpretation has been applied, retaining raw input to the some > of the interpretations if required. I want to then transmit the complete > interpreted event to my central event repository. > > My proposal is that ausearch gains the following 'interpreted output' > options > > --Xo plain|json|xml > generate plain (cf --interpret), xml or json formatted events > > --Xr key_a'+'key_b'+'key_c > include raw value for given keys using the the new key > __r_key_a, __r_key_b, etc. The special key __all__ is > interpreted to retain the complete raw record. If the raw value > has no interpreted value, then we will end up with two keys with > the same value. > > I have attached the XSD from which the XML and JSON formats could be > defined. >
Is there any interest in this? If is was available, would people make use of it? If so I can modify ausearch and generate a proposed patch over the Christmas break. Regards Burn -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
