Philippe, On Fri, 2020-02-07 at 08:13 +0000, MAUPERTUIS, PHILIPPE wrote: > > On Friday, December 20, 2019 8:33:11 AM EST MAUPERTUIS, PHILIPPE wrote: > > > We are centralizing the audit logs with rsyslog.The SIEM behind the > > > central > > > log server is unable to process the raw logs.We would like to push the > > > ausearch result in CSV format in real time ornear real time. Is there a > > > way > > > to have ausearch working from a pipe andand waiting when no logs are > > > received > > > > I think that I've seen others who setup a cron job and use the > > checkpointingfeature so that they do not miss anything. You can pipe its > > output > > intologger. You probably also want to cut the first line which has the > > columnheaders. > > ausearch --start today --checkpoint /root/last-ausearch .chpt --format csv > > |tail > > -n +2 | logger > > On a central log server the input file can grow very big and very > fast.Probably > logrotate is needed to keep it in check.What happen to the checkpointing > feature > when the file is rotated ?How not to miss the last events from the old file > and > get the new events from the new file ?
The above performs a checkpoint on the local machine and then sends it's output to the local syslog service via the logger program. Ausearchis independent of the syslog service. The checkpoint function of ausearch takes into account the audit.log log file roll-over feature built into auditd so,providing your auditd log file rotation is set appropriately, checkpoint works no matter how many audit.log files are in the audit log directory.For information, a 9 file 32MB per log file configuration works well for a very heavy processing host where exec's are logged. Further, if the generation of logsis such that the checkpoint does miss logs, then the checkpoint documentation shows one how to address this. If this is noted, then include the size of or numberof local log files. > > Also, the latest syslog plugin can now do interpretation. I think its > > inalpha-9 > > which dates back to Nov 04, 2019. > > It really shouldn't be hard to copy and paste the code from ausearch into > > thesyslog plugin to log directly in that format. I wonder if anyone else > > wouldfind that useful? > > > --Linux-audit mailing [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
