From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: Re: no node= in ausearch
Date: Fri, 12 Sep 2008 20:40:23 -0500
Message-ID: <1221270023.6502.124.camel@homeserver>
References: <1221263768.6502.121.camel@homeserver>
	<200809130005.m8D05b5i013462@greed.delorie.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200809130005.m8D05b5i013462@greed.delorie.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: DJ Delorie <dj@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


On Fri, 2008-09-12 at 20:05 -0400, DJ Delorie wrote:
> > Just as an aside, I was sending in the auditctl event because I do not
> > see the "node=" information in the ausearch results on my collector.
> > So I wasn't certain which machine might be initiating the event.
> 
> Locally generated events won't have the node= (at least, on my machine
> they don't).  Remotely generated events should have the node= on them.

I thought there was a distinction as to where it was assigned, as in
auditd.conf vice audispd.conf. The raw data (in the log) does have it
locally.

So anyway, if I see no node= events in the collector I know that it
isn't getting any events. 
Also the sender's audispd sends log messages saying the queue is full
and it must drop the events.

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com