We're sysloging to a hosted search provider (somewhat like Splunk). They
don't currently support automatic auditd log parsing. However, we have
written custom scheduled alerts based on the syscalls we're logging.
I believe someone also posted a Splunk auditd app a while back.
https://splunkbase.s
On Thursday, April 28, 2016 07:55:13 PM Warron S French wrote:
> If I centralize audit logging through rsyslog, and I have each of the remote
> machines' /etc/rsyslog.conf to use the same generic audit.log file name
> instead of customizing the audit logs with something like;
> HOSTNAME-audit.log,
If I centralize audit logging through rsyslog, and I have each of the remote
machines' /etc/rsyslog.conf to use the same generic audit.log file name instead
of customizing the audit logs with something like; HOSTNAME-audit.log, because
ausearch apparently only looks for a file specifically of th