Hi,
I have a fedora33 system and would like to get more involved with
auditd. I understand the basics, but are there any tools to process
the audit.log file, to make it easier to process, read and display?
How about acting on specific events? What if I wanted to be alerted
somehow when sudo was run more than five times in some period? Perhaps
logwatch?
I've seen references to using it with splunk but are there open source
alternatives?
I'm also aware of aureport, which appears to be great for producing
summary reports, and maybe an event report, but what do people do with
this information to make it useful?
How do admins normally act on the information in the logs? Are they
just using it to investigate a specific event, such as when privileges
are escalated for some reason or ssh is being used?
It's otherwise just too much information - who cares that ssh is being
used or sudo was run, unless you thought that functionality was
disabled, for example.
Thanks,
Alex