Hi, I have a fedora33 system and would like to get more involved with auditd. I understand the basics, but are there any tools to process the audit.log file, to make it easier to process, read and display? How about acting on specific events? What if I wanted to be alerted somehow when sudo was run more than five times in some period? Perhaps logwatch? I've seen references to using it with splunk but are there open source alternatives? I'm also aware of aureport, which appears to be great for producing summary reports, and maybe an event report, but what do people do with this information to make it useful? How do admins normally act on the information in the logs? Are they just using it to investigate a specific event, such as when privileges are escalated for some reason or ssh is being used? It's otherwise just too much information - who cares that ssh is being used or sudo was run, unless you thought that functionality was disabled, for example. Thanks, Alex _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx