On Friday, August 10, 2012 07:51:29 PM Burn Alting wrote:
Steve,
I will go ahead with my audispd child program that enriches logs and use
rsyslog to get them to a central repository.
I also plan to concatenate all messages belonging to the same event (ie
time:event_id) and send this as one
On 08/02/2012 06:54 AM, Burn Alting wrote:
Hi,
I have a scenario of a mixed collection of Linux systems, some that have
users authenticate via a central ldap, others have local (/etc/passwd)
authentication.
This means I cannot 100% depend that the user name say, fred, with uid
1000, has the
I'm doing something similar on an audisp plugin as you mentionned. It's
part of a different plugin that changes the log format (to CEF) and does
a few other things, so unfortunately only some snippets would help you.
For user names eg:
auid = auparse_find_field(au, auid);
if
- Original Message -
It might still be an idea to have auparse_get_uid(au) etc.
I'm not 100% sure what you mean, but is perhaps auparse_interpret_field what
you are looking for? It returns an intepreted (as opposed to raw) version
of the field, e.g. a name instead of an UID.
Mirek
On 08/02/2012 05:12 PM, Miloslav Trmac wrote:
I'm not 100% sure what you mean, but is perhaps
auparse_interpret_field what you are looking for? It returns an
intepreted (as opposed to raw) version of the field, e.g. a name
instead of an UID.
Yes, that's the correct function to call. However