From owner-freebsd-hackers@FreeBSD.ORG  Sat May 26 08:19:55 2007
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: freebsd-hackers@freebsd.org
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 3381F16A400;
	Sat, 26 May 2007 08:19:55 +0000 (UTC) (envelope-from imp@bsdimp.com)
Received: from harmony.bsdimp.com (bsdimp.com [199.45.160.85])
	by mx1.freebsd.org (Postfix) with ESMTP id E2B9913C447;
	Sat, 26 May 2007 08:19:54 +0000 (UTC) (envelope-from imp@bsdimp.com)
Received: from localhost (localhost [127.0.0.1])
	by harmony.bsdimp.com (8.13.8/8.13.4) with ESMTP id l4Q8FrYA015240;
	Sat, 26 May 2007 02:15:53 -0600 (MDT) (envelope-from imp@bsdimp.com)
Date: Sat, 26 May 2007 02:16:09 -0600 (MDT)
Message-Id: <20070526.021609.-1749708199.imp@bsdimp.com>
To: mail@maxlor.com
From: "M. Warner Losh" <imp@bsdimp.com>
In-Reply-To: <200705252004.38092.mail@maxlor.com>
References: <200705250322.22259.karma@FreeBSD.org>
	<200705252004.38092.mail@maxlor.com>
X-Mailer: Mew version 4.2 on Emacs 21.3 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0
	(harmony.bsdimp.com [127.0.0.1]);
	Sat, 26 May 2007 02:15:54 -0600 (MDT)
Cc: karma@freebsd.org, freebsd-hackers@freebsd.org,
	trustedbsd-audit@freebsd.org, trustedbsd-discuss@freebsd.org,
	karma@ez.pereslavl.ru
Subject: Re: SoC: Distributed Audit Daemon project
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 26 May 2007 08:19:55 -0000

In message: <200705252004.38092.mail@maxlor.com>
            Benjamin Lutz <mail@maxlor.com> writes:
: On Friday 25 May 2007 01:22:21 Alexey Mikhailov wrote:
: > [...]
: > 2. As I said before initial subject of this project was "Distributed
: > audit daemon". But after some discussions we had decided that this
: > project can be done in more general maner. We can perform distributed
: > logging for any user-space app.
: > [...]
: 
: This sounds very similar to syslogd. Is it feasible to make dlogd a drop-in 
: replacement for syslogd, at least from a syslog-using-program point of view?

I suspect that it is dealing with different data streams.  syslog is
for programs sending text voluntarily.  auditd is for pulling audit
trails out of the kernel for which the 'target' programs have no
knowledge that the audit trails are being generated, let alone anyway
to prevent it.

Warner