[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: setroubleshooter/sealert on central loghost?
From:       Daniel J Walsh <dwalsh () redhat ! com>
Date:       2007-08-02 14:15:53
Message-ID: 46B1E719.500 () redhat ! com
[Download RAW message or body]

Jan-Frode Myklebust wrote:
> We run a centralized syslog server, and separate all syslogged avc
> into a separate log file. Is it possible to have setroubleshooter/sealert
> use this log file ?
>
> Also it would be nice if one could get the correct "Host Name" in
> the setroubleshhot browser and alerts. Guess that also will have
> to be added to the avc-log lines is some format.. I tried faking it
> with:
>
> type=AVC msg=audit(1185725759.359:2945): avc:  denied  { search } for
> pid=2077 hostname="my.hostname.com" comm="snmpd" name="fs" dev=proc
> ino=4026531869 scontext=system_u:system_r:snmpd_t:s0
> tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
>
> But the troubleshooter doesn't pick up the hostname. Any ideas ?
>
>
>  -jf
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>   
If you keep the logs separate you can use sealert on the log files.

sealert -a logfile



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]