From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: Re: Audit Prelude Logout Tracking
Date: Thu, 19 Feb 2009 08:45:55 -0600
Message-ID: <1235054755.11692.127.camel@homeserver>
References: <499C848C.6020401@groupw.com>
	<1234997046.11692.111.camel@homeserver>
	<1234999521.11692.118.camel@homeserver> <499D6C14.5060205@groupw.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n1JEk9Mc001742
	for <linux-audit@redhat.com>; Thu, 19 Feb 2009 09:46:09 -0500
Received: from mail.magitekltd.com (rrcs-24-242-137-197.sw.biz.rr.com
	[24.242.137.197])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n1JEjxB9001502
	for <linux-audit@redhat.com>; Thu, 19 Feb 2009 09:45:59 -0500
In-Reply-To: <499D6C14.5060205@groupw.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Dan Gruhn <Dan.Gruhn@groupw.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


On Thu, 2009-02-19 at 09:26 -0500, Dan Gruhn wrote:
> 
> LC Bruzenak wrote:
> > On Wed, 2009-02-18 at 16:44 -0600, LC Bruzenak wrote:
> >   
> LCB,
> 
> Thanks for the tip on the hostname/addr info is only for remote access 
> information.
> 
>  Although this seemed like the right place to look, I don't see 
> USER_LOGOUT events in my audit logs, this is why I mentioned the 
> USER_END events.  Do you remember USER_LOGOUT working back when you 
> tried before?

I thought that is what I saw previously, but it isn't there now. 
Only login/logout on the console gives these messages. 
I need to go back through some old email - I thought Steve patched this
a while back.

> 
> I am interested in the patches that you make to audisp-prelude.c.  Do 
> you think they might be useful to me in my NISPOM quest?  If so, are 
> they patches from 1.7.11 and could you send me a copy?

I'll gladly send you a copy off-list - the changes are specific to what
I'm doing. Basically I had to sub-format the user text in order to key
off what I wanted to send to prelude. 

You may need to incorporate something similar...unless of course between
us we can provide a non-intrusive patch Steve would accept which would
accommodate user-designated IDS events! :)

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com