* ausearch issue?
@ 2009-06-11 14:45 LC Bruzenak
2009-06-11 14:53 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: LC Bruzenak @ 2009-06-11 14:45 UTC (permalink / raw)
To: Linux Audit
# auditctl -m "`cat e-1-s`"
# ausearch -ts recent -i -m USER
<no matches>
# ausearch -ts this-week -a 22476
<no matches>
in the raw log:
node=slim type=USER msg=audit(1244730722.536:22476): user pid=16700
uid=0 auid=500 ses=1 subj=user_u:user_r:user_t:s0 msg='node=jim
type=PATH msg=audit(06/08/2009 13:33:50.101:19267) : item=4
name=/var/lib/ntp/drift inode=115581 dev=fd:00 mode=file,644 ouid=ntp
ogid=ntp rdev=00:00 obj=system_u:object_r:ntp_drift_t:s0 :
exe="/usr/local/sbin/auditctl" (hostname=?, addr=?, terminal=pts/13
res=success)'
file "e-1-s" (1 line):
node=jim type=PATH msg=audit(06/08/2009 13:33:50.101:19267) : item=4
name=/var/lib/ntp/drift inode=115581 dev=fd:00 mode=file,644 ouid=ntp
ogid=ntp rdev=00:00 obj=system_u:object_r:ntp_drift_t:s0
Any clues?
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ausearch issue?
2009-06-11 14:45 ausearch issue? LC Bruzenak
@ 2009-06-11 14:53 ` Steve Grubb
2009-06-11 15:06 ` LC Bruzenak
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2009-06-11 14:53 UTC (permalink / raw)
To: linux-audit
On Thursday 11 June 2009 10:45:21 am LC Bruzenak wrote:
> # auditctl -m "`cat e-1-s`"
> # ausearch -ts recent -i -m USER
> <no matches>
> # ausearch -ts this-week -a 22476
> <no matches>
>
> in the raw log:
> node=slim type=USER msg=audit(1244730722.536:22476): user pid=16700
> uid=0 auid=500 ses=1 subj=user_u:user_r:user_t:s0 msg='node=jim
> type=PATH msg=audit(06/08/2009 13:33:50.101:19267) : item=4
> name=/var/lib/ntp/drift inode=115581 dev=fd:00 mode=file,644 ouid=ntp
> ogid=ntp rdev=00:00 obj=system_u:object_r:ntp_drift_t:s0 :
> exe="/usr/local/sbin/auditctl" (hostname=?, addr=?, terminal=pts/13
> res=success)'
>
> Any clues?
When ausearch finds a malformed record, it discards it as a safety measure.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ausearch issue?
2009-06-11 14:53 ` Steve Grubb
@ 2009-06-11 15:06 ` LC Bruzenak
0 siblings, 0 replies; 3+ messages in thread
From: LC Bruzenak @ 2009-06-11 15:06 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
On Thu, 2009-06-11 at 10:53 -0400, Steve Grubb wrote:
> On Thursday 11 June 2009 10:45:21 am LC Bruzenak wrote:
> > # auditctl -m "`cat e-1-s`"
> > # ausearch -ts recent -i -m USER
> > <no matches>
> > # ausearch -ts this-week -a 22476
> > <no matches>
> >
> > in the raw log:
> > node=slim type=USER msg=audit(1244730722.536:22476): user pid=16700
> > uid=0 auid=500 ses=1 subj=user_u:user_r:user_t:s0 msg='node=jim
> > type=PATH msg=audit(06/08/2009 13:33:50.101:19267) : item=4
> > name=/var/lib/ntp/drift inode=115581 dev=fd:00 mode=file,644 ouid=ntp
> > ogid=ntp rdev=00:00 obj=system_u:object_r:ntp_drift_t:s0 :
> > exe="/usr/local/sbin/auditctl" (hostname=?, addr=?, terminal=pts/13
> > res=success)'
> >
> > Any clues?
>
> When ausearch finds a malformed record, it discards it as a safety measure.
>
> -Steve
OK; fair enough.
I HATE that the parser is so ...smart...
:/
I really wanted this in there and be able to extract it later. Oh well,
option C...
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-06-11 15:06 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-06-11 14:45 ausearch issue? LC Bruzenak
2009-06-11 14:53 ` Steve Grubb
2009-06-11 15:06 ` LC Bruzenak
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox