Hi everybody.
I'll want configure SELinux in 1000+ Systems, but i need to know, if there is a method or product that collect all logs of SELinux and create a mirror of what are happening in the systems.
An example is snorby for suricata or snort (IDS/IPS): http://www.rivy.org/wp-content/uploads/2013/03/snorby-screenshot.png
Let me know.
Thanks in advance.
Maurizio Pagani
Well it is just the audit.log so any tool that could collect the audit.log would collect the SELinux logs.
You might want to look at http://linux.die.net/man/5/audisp-remote.conf
Which I believe can be setup to remote the logs.
On 09/16/2014 05:28 AM, Maurizio Pagani wrote:
Hi everybody.
I'll want configure SELinux in 1000+ Systems, but i need to know, if there is a method or product that collect all logs of SELinux and create a mirror of what are happening in the systems.
An example is snorby for suricata or snort (IDS/IPS): http://www.rivy.org/wp-content/uploads/2013/03/snorby-screenshot.png
Let me know.
Thanks in advance.
Maurizio Pagani
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You can tell audisp ( http://man7.org/linux/man-pages/man8/audispd.8.html ) to send all audit messages to syslog and then use a centralized syslog system to collect your logs into a central repository. At that point you can use your favorite log parsing tools to review your SELinux audit messages (not to mention other items) at will.
Cheers, David
On 09/16/2014 05:28 AM, Maurizio Pagani wrote:
Hi everybody.
I'll want configure SELinux in 1000+ Systems, but i need to know, if there is a method or product that collect all logs of SELinux and create a mirror of what are happening in the systems.
An example is snorby for suricata or snort (IDS/IPS): http://www.rivy.org/wp-content/uploads/2013/03/snorby-screenshot.png
Let me know.
Thanks in advance.
Maurizio Pagani
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
+1 to the centralized syslog server.
We take advantage of logstatsh and have looked at graylog2.
http://graylog2.org/ http://logstash.net/
Bonus link: selinux in puppet: https://forge.puppetlabs.com/tags/selinux
Hope this helps your R&D let us know how you solve this.
George
On Tue, Sep 16, 2014 at 3:40 PM, David Cafaro dac@cafaro.net wrote:
You can tell audisp ( http://man7.org/linux/man-pages/man8/audispd.8.html ) to send all audit messages to syslog and then use a centralized syslog system to collect your logs into a central repository. At that point you can use your favorite log parsing tools to review your SELinux audit messages (not to mention other items) at will.
Cheers, David
On 09/16/2014 05:28 AM, Maurizio Pagani wrote:
Hi everybody.
I'll want configure SELinux in 1000+ Systems, but i need to know, if there is a method or product that collect all logs of SELinux and create a mirror of what are happening in the systems.
An example is snorby for suricata or snort (IDS/IPS): http://www.rivy.org/wp-content/uploads/2013/03/snorby-screenshot.png
Let me know.
Thanks in advance.
Maurizio Pagani
-- selinux mailing listselinux@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org