[Aide] Query over report_url=syslog:<some_path>

Fisher, Philip phil.fisher at dxc.com
Mon Jan 18 19:34:36 EET 2021 

Hello AIDE experts

My query is that I am using in aide.conf:

report_url=file:<some pathname>
report_url=syslog:LOCAL6

And a line in rsyslog.conf that writes that facility to a logfile as per usual syslog behaviour.

However I found that whereas running report_url=<logfile> as well as the use of syslog there are differences in the report.  Specifically there is a major difference in file sizes as for example:

-rw-r--r--. 1 <user> <group>   698119 Jan 15 12:01 aide.log
-rw-------. 1 root      root           22443 Jan 15 12:01 aide.syslog

Now the reason for wanting the syslog capability to work is so that each line has a good log timestamp.  Our log scraping facility will remotely copy the file elsewhere for analysis/archive.  As far as I know, AIDE does not timestamp (in 0.14) any lines or AIDE runs.

Our current version on RHEL6 is 0.14 and due to current project constraints this is not likely to change soon.
While accepting this is an OLD version of AIDE, and NOT maintained anymore I assume, can the expert(s) clarify:

a) does V0.16 fix what I see above?
b) is there a reason why this does not work in 0.14?
c) should we do it another way that is more AIDE compatible (assumes that answer to (b) is yes there is a reason)?

Thank you for your attention.

Phil

--
Phil J Fisher



DXC Technology Company -- This message is transmitted to you by or on behalf of DXC Technology Company or one of its affiliates.  It is intended exclusively for the addressee.  The substance of this message, along with any attachments, may contain proprietary, confidential or privileged information or information that is otherwise legally exempt from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient of this message, you are not authorized to read, print, retain, copy or disseminate any part of this message. If you have received this message in error, please destroy and delete all copies and notify the sender by return e-mail. Regardless of content, this e-mail shall not operate to bind DXC Technology Company or any of its affiliates to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.

More information about the Aide mailing list