On 12/14/2015 08:34 AM, Steve Grubb wrote:
That is not exactly what I proposed. What I was proposing was to record the
translation of things that could change between systems and thus prevent
correct interpretation later. Doing all translations is technically possible
but would slow down auditd j
On Sun, 2015-12-27 at 10:06 -0500, Steve Grubb wrote:
> On Sunday, December 27, 2015 11:30:59 AM Burn Alting wrote:
> > I'll start with the statement I am happy to enhance the audit capability
> > of Linux in any way (read that as a direct offer to help).
>
> Thanks!
>
> > > I'm somewhat interest
On Sunday, December 27, 2015 11:30:59 AM Burn Alting wrote:
> I'll start with the statement I am happy to enhance the audit capability
> of Linux in any way (read that as a direct offer to help).
Thanks!
> > I'm somewhat interested in this. I'm just not sure where the best place to
> > do all th
On Sat, 2015-12-26 at 11:38 -0500, Steve Grubb wrote:
> On Thursday, December 24, 2015 09:44:00 AM Burn Alting wrote:
> > On Fri, 2015-12-18 at 16:12 +1100, Burn Alting wrote:
> > > On Tue, 2015-12-15 at 08:46 -0500, Steve Grubb wrote:
> > > > On Tuesday, December 15, 2015 09:12:54 AM Burn Alting w
On Thursday, December 24, 2015 09:44:00 AM Burn Alting wrote:
> On Fri, 2015-12-18 at 16:12 +1100, Burn Alting wrote:
> > On Tue, 2015-12-15 at 08:46 -0500, Steve Grubb wrote:
> > > On Tuesday, December 15, 2015 09:12:54 AM Burn Alting wrote:
> > > > I use a proprietary ELK-like system based on aus
On Fri, 2015-12-18 at 16:12 +1100, Burn Alting wrote:
> On Tue, 2015-12-15 at 08:46 -0500, Steve Grubb wrote:
> > On Tuesday, December 15, 2015 09:12:54 AM Burn Alting wrote:
> > > I use a proprietary ELK-like system based on ausearch's -i option. I would
> > > like to see some variant outputs from
On Tue, 2015-12-15 at 08:46 -0500, Steve Grubb wrote:
> On Tuesday, December 15, 2015 09:12:54 AM Burn Alting wrote:
> > I use a proprietary ELK-like system based on ausearch's -i option. I would
> > like to see some variant outputs from ausearch that "packages" events into
> > parse-friendly forma
On Tuesday, December 15, 2015 09:12:54 AM Burn Alting wrote:
> I use a proprietary ELK-like system based on ausearch's -i option. I would
> like to see some variant outputs from ausearch that "packages" events into
> parse-friendly formats (json, xml) that also incorporates the local
> transformati
On 15/12/10, Paul Moore wrote:
> On Thu, Dec 10, 2015 at 5:49 PM, Steve Grubb wrote:
> > On Wed, 09 Dec 2015 12:43:37 +1100
> > Burn Alting wrote:
> >
> >> Steve,
> >>
> >> Can you mock up some examples of an 'enriched' event showing how it is
> >> different from what we have now.
> >
> > type=LO
velopment
instead of operations and support of the hardware/software ecosystem.
>
> Kevin D Dienst
>
>
>
>
> From:Joe Wulf
> To:"linux-audit@redhat.com"
> Date:12/14/2015 10:51 AM
> Subject:Re: New draft standards
> Se
uot;linux-audit@redhat.com"
Sent: Monday, December 14, 2015 10:34 AM
Subject: Re: New draft standards
But I guess this gives me an opportunity to ask the community what tools
they
are using for audit log collection and viewing? Its been a couple years
since
e had this discussion on th
M
Subject: Re: New draft standards
But I guess this gives me an opportunity to ask the community what tools they
are using for audit log collection and viewing? Its been a couple years since
e had this discussion on the mail list and I think some things have changed.
Do people use ELK?
Ap
On Thursday, December 10, 2015 12:40:55 PM F Rafi wrote:
> My comments are more from a log user (not developer) perspective. We are
> exporting close to 10GB/day of mostly auditd logs. This will potentially go
> upto 20GB/day next year.
>
> I'd prefer the ability to translate all auditd logs befor
On Wednesday, December 09, 2015 11:35:02 PM Steve Grubb wrote:
> On Tue, 08 Dec 2015 19:28:22 -0500
>
> Paul Moore wrote:
> > Okay, let's not call these "standards" and just stick with
> > "specifications". The term standards has all sorts of connotations
> > associated with it, both good and bad
On Thu, Dec 10, 2015 at 5:49 PM, Steve Grubb wrote:
> On Wed, 09 Dec 2015 12:43:37 +1100
> Burn Alting wrote:
>
>> Steve,
>>
>> Can you mock up some examples of an 'enriched' event showing how it is
>> different from what we have now.
>
> type=LOGIN msg=audit(1449782897.896:2496): pid=1768 uid=0
On Wed, 09 Dec 2015 12:43:37 +1100
Burn Alting wrote:
> On Tue, 2015-12-08 at 19:28 -0500, Paul Moore wrote:
> > On Tuesday, December 08, 2015 03:25:22 PM Steve Grubb wrote:
> > > On Tuesday, December 08, 2015 02:58:18 PM Paul Moore wrote:
> > > > On Tue, Dec 8, 2015 at 2:22 PM, Steve Grubb
> >
My comments are more from a log user (not developer) perspective. We are
exporting close to 10GB/day of mostly auditd logs. This will potentially go
upto 20GB/day next year.
I'd prefer the ability to translate all auditd logs before they are written
to disk. I believe this is what you have propose
On Tue, 08 Dec 2015 19:28:22 -0500
Paul Moore wrote:
> Okay, let's not call these "standards" and just stick with
> "specifications". The term standards has all sorts of connotations
> associated with it, both good and bad, and I think we should be clear
> when we start talking with other develope
On Tue, 2015-12-08 at 19:28 -0500, Paul Moore wrote:
> On Tuesday, December 08, 2015 03:25:22 PM Steve Grubb wrote:
> > On Tuesday, December 08, 2015 02:58:18 PM Paul Moore wrote:
> > > On Tue, Dec 8, 2015 at 2:22 PM, Steve Grubb wrote:
> > > > Hello,
> > > >
> > > > I would like to point out 2 n
On Tuesday, December 08, 2015 03:25:22 PM Steve Grubb wrote:
> On Tuesday, December 08, 2015 02:58:18 PM Paul Moore wrote:
> > On Tue, Dec 8, 2015 at 2:22 PM, Steve Grubb wrote:
> > > Hello,
> > >
> > > I would like to point out 2 new standards that have been posted to the
> > > linux audit web p
On Tuesday, December 08, 2015 03:49:58 PM Richard Guy Briggs wrote:
> On 15/12/08, Steve Grubb wrote:
> > Hello,
> >
> > I would like to point out 2 new standards that have been posted to the
> > linux audit web page. The first establishes the events around system
> > start up and shutdown. This i
On 15/12/08, Steve Grubb wrote:
> Hello,
>
> I would like to point out 2 new standards that have been posted to the linux
> audit web page. The first establishes the events around system start up and
> shutdown. This is important because it sets the session boundaries for when a
> system is up
On Tuesday, December 08, 2015 02:58:18 PM Paul Moore wrote:
> On Tue, Dec 8, 2015 at 2:22 PM, Steve Grubb wrote:
> > Hello,
> >
> > I would like to point out 2 new standards that have been posted to the
> > linux audit web page. The first establishes the events around system
> > start up and shut
On Tue, Dec 8, 2015 at 2:22 PM, Steve Grubb wrote:
> Hello,
>
> I would like to point out 2 new standards that have been posted to the linux
> audit web page. The first establishes the events around system start up and
> shutdown. This is important because it sets the session boundaries for when a
Hello,
I would like to point out 2 new standards that have been posted to the linux
audit web page. The first establishes the events around system start up and
shutdown. This is important because it sets the session boundaries for when a
system is up or down or crashed.
http://people.redhat.co
25 matches
Mail list logo
