I have seen it done in exactly this manner too. Where I work we do this. -------------------------- Warron French
On Fri, Dec 20, 2019 at 2:26 PM MAUPERTUIS, PHILIPPE < [email protected]> wrote: > Thank you steve, > I will have a look at it. > Philippe > > -----Message d'origine----- > De : Steve Grubb [mailto:[email protected]] > Envoyé : vendredi 20 décembre 2019 20:24 > À : [email protected] > Cc : MAUPERTUIS, PHILIPPE > Objet : Re: ausearch on the fly > > On Friday, December 20, 2019 8:33:11 AM EST MAUPERTUIS, PHILIPPE wrote: > > We are centralizing the audit logs with rsyslog. > > The SIEM behind the central log server is unable to process the raw logs. > > We would like to push the ausearch result in CSV format in real time or > > near real time. Is there a way to have ausearch working from a pipe and > > and waiting when no logs are received > > I think that I've seen others who setup a cron job and use the > checkpointing > feature so that they do not miss anything. You can pipe its output into > logger. You probably also want to cut the first line which has the column > headers. > > ausearch --start today --checkpoint /root/last-ausearch .chpt --format csv > | tail -n +2 | logger > > Also, the latest syslog plugin can now do interpretation. I think its in > alpha-9 which dates back to Nov 04, 2019. > > It really shouldn't be hard to copy and paste the code from ausearch into > the > syslog plugin to log directly in that format. I wonder if anyone else would > find that useful? > > -Steve > > > equensWorldline is a registered trade mark and trading name owned by the > Worldline Group through its holding company. > This e-mail and the documents attached are confidential and intended > solely for the addressee. If you receive this e-mail in error, you are not > authorized to copy, disclose, use or retain it. Please notify the sender > immediately and delete this email from your systems. As emails may be > intercepted, amended or lost, they are not secure. EquensWorldline and the > Worldline Group therefore can accept no liability for any errors or their > content. Although equensWorldline and the Worldline Group endeavours to > maintain a virus-free network, we do not warrant that this transmission is > virus-free and can accept no liability for any damages resulting from any > virus transmitted. The risks are deemed to be accepted by everyone who > communicates with equensWorldline and the Worldline Group by email > > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit > >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
