From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: Re: ausearch on aggregation - syscall difference
Date: Fri, 24 Oct 2008 13:38:45 -0500
Message-ID: <1224873525.9388.25.camel@homeserver>
References: <1224868121.9388.8.camel@homeserver> <490213B2.3040701@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <490213B2.3040701@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: John Dennis <jdennis@redhat.com>
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Fri, 2008-10-24 at 14:28 -0400, John Dennis wrote:
> >   
> This problem occurs because ausearch naively assumes  the log  data it's 
> parsing originated  on the same machine it's running on. Instead of 
> reading the arch from the audit record it calls audit_detect_machine() 
> which calls uname(). It then uses the machine arch it found with uname() 
> to interpret the syscall number. Auparse has the same problem.
> 

The audit-viewer gets the right syscall for the event's arch.

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com