Can auditd be used the check the contents of a file?

Latest response

I've read the man pages, checked the discussion boards and the knowledge base, and my hunch is the
answer to this is probably "no". If that's the case, alternate suggestions would be helpful.

The problem:

I am evaluating a log analyzer product that looks for events on Linux hosts, switches, etc..
When talking to a Linux host, the product will use 'connectors' to examine the log files
created by auditd. Since the data in the auditd logs is tagged, this makes a lot of sense.

My problem is that for this particular case, I'm NOT looking to see when /var/log/messages
has been updated, but what we written IN /var/log/messages.

Specifically I'm looking for text strings such as "kernel: CIFS VFS: server not responding". I want
that text tagged and written to the auditd log file so the log analyzer connector can pick it up.

As far as I can tell, auditd looks for things like attempts to access the file, how the files was
accessed, who accessed the file, and whether it was successful, but there is no way to get it
look at what was written.

I would like to stick with system tools so that I don't have to re-invent the wheel, but right
now I'm thinking the sanest solution would be to write my own program to parse /var/log/messages
and write my own 'auditd-like' output file and have the connector use that instead.

Ideas?

Responses

The audit service is an action-monitor, not a content-analyzer.

Off the top of my head, I can't think of many "comes with the OS DVD" content-analyzers. You can set up some basic inline-filters via rsyslog. If your audit messages are (also) being logged to rsyslog, you can use that capability.

For something a bit more robust, there's plenty of tools out there - both paid and free - for doing what you're looking to do.

Thanks. It's good to know that my understanding of the situation is close to correct.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.