--- Joshua Brindle <[EMAIL PROTECTED]> wrote:
> This is fairly off topic here (selinux list) but I > agree with Karl. As a > recovering admin I think I can say that admins > expect to be able to use > various unix utilities to inspect log files, > particularly tail -f. While > I'm all for applications putting their data in > private data formats and > using tools and libraries to inspect them I think it > is generally > considered that everything in /var/log is fair game > to inspect with > anything available on systems (including perl, > python, sed, awk, tail, > grep, etc). > > You will certainly be rubbing most admins the wrong > way by forcing them > through a different interface that won't support > some common commands > like tail -f. > > There are probably hundreds of utilities that look > through these files > as well, what is going to happen when people try to > add audit.log to a > log watcher that emails logs to them? Huge binary > dumps in email are > going to make people turn off the audit daemon, not > modify their apps to > use different tools/libraries. Based on the Unix experience I find myself agreeing with this assessment. Binary (or compressed) audit logs don't get read very often. A mechanism like audit_filters(5) from Irix makes the problem more manageable, but the truth is that humans like their information human readable. Disk space used to be a major problem, and I/O bandwidth still is (you can overwhelm any system with too much audit no matter how optimal your audit data) but the cost of translation-on-read is going to stop most humans from ever doing it. Casey Schaufler [EMAIL PROTECTED] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
