Aureport on stream of data #324
Comments
|
I have never seen any output of elk. So, I can't really help there. But if you can get it formatted just like the original audit logs, then you can pipe it into aureport via stdin. Not much I can do with this one. Issue #130 also asks for acceptance of other formats. But it is low priority. |
|
Hello
So elk is just one use case, but any kafka / siem / databases that stores
audit log are relevant here.
How can I convert text output to be formated so that aureport can be piped
and give insights ?
Thank you
בתאריך יום ד׳, 20 בספט׳ 2023, 19:02, מאת Steve Grubb <
***@***.***>:
… I have never seen any output of elk. So, I can't really help there. But if
you can get it formatted just like the original audit logs, then you can
pipe it into aureport via stdin. Not much I can do with this one.
Issue #130 <#130>
also asks for acceptance of other formats. But it is low priority.
—
Reply to this email directly, view it on GitHub
<#324 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ASY5U7JFBQXRLONT4IK3B5TX3MHSFANCNFSM6AAAAAA43TL5AY>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
I have no idea what the output is as I have no access to any of those. Once you take the logs into something else, typically you use the tools provided by that something else. If their tools can't extract the data back into its original format, you can't use tools from the original source (auditd). |
|
So just to clarify, having raw, textual auditd logs can be piped to
aureport ?
בתאריך יום ה׳, 21 בספט׳ 2023, 17:45, מאת Steve Grubb <
***@***.***>:
… I have no idea what the output is as I have no access to any of those.
Once you take the logs into something else, typically you use the tools
provided by that something else. If their tools can't extract the data back
into its original format, you can't use tools from the original source
(auditd).
—
Reply to this email directly, view it on GitHub
<#324 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ASY5U7IF5CN5RUOJQTHLZKDX3RHH5ANCNFSM6AAAAAA43TL5AY>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
Yes. For example, try the following: |
|
Looks like this ticket can be closed. If you have any further questions just ask. |
|
Yes please, 2 questions :
1) Is there a way to run aureport on updating auditd logs ? That is, not
running aureport on all logs, just updating the last aureport with the
recent addition of logs ?
2) Could aureport run on combined auditd logs from more than one computor
and produce multiple outputs ?
Thank you
בתאריך יום ד׳, 11 באוק׳ 2023, 23:22, מאת Steve Grubb <
***@***.***>:
… Closed #324 <#324>
as completed.
—
Reply to this email directly, view it on GitHub
<#324 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ASY5U7LJA4M3J5LRXUZVCC3X635YNANCNFSM6AAAAAA43TL5AY>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
I would like to know how can I rum aureport on a stream of data, i.e auditd logs streamed to elk
The text was updated successfully, but these errors were encountered: