Audit in Kerberos

Henry B. Hotz hotz at
Fri Jan 22 20:31:12 EST 2010

On Jan 22, 2010, at 9:02 AM, krbdev-request at wrote:

> 1. Where to store the audit info - in file or DB?
>     Syslog seems to be an attractive option. However, only admin
> privileged users can access and interpret the log.
>     DB log storage suggests more flexibility when  users based on
> their access rights may review and analyze the accumulated log data.
> The drawback here is the worsened performance and scalability.

I think the main Kerberos DB is appropriate for info like last successful/failed usage info.  A complete history should be external.

+1 to plugins and minimal built-in facility.

Configurable syslog or file (or NULL) destinations for the info with post-processing to implement the complete facility is the architecture I would expect to make sense, but I haven't thought too much about alternatives.  If you want something other than XML I'd suggest comma-separated-values.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list