I want to ship off logs into centralized logging (ELK). Because of the way things are, I need to do the processing on the machine that creates the logs. How can I get each new auditd event to automatically be processed by ausearch and written to another file?
Asked
Active
Viewed 637 times
1 Answers
0
Simplest (but batch orientated): Use the checkpoint capability within ausearch, serialize the output into some transport mechanism (ie fold multiple records into a single line and transport via syslog and have your logstash macros break it out again) and run every N minutes.
More effort: Cut code to do the above using audit-libs (start with auparse-feed(3)) and set up an auditd dispatcher to send audit to your code.
BurnA
- 421
- 3
- 6