From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Paris Subject: Re: auditd 2.0.5 and 2.2 log format changes Date: Tue, 20 May 2014 13:02:24 -0400 Message-ID: <1400605344.20791.4.camel@flatline.rdu.redhat.com> References: <20140520113138.5e08d5e2@ivy-bridge> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Ismail Yenigul Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tue, 2014-05-20 at 18:35 +0300, Ismail Yenigul wrote: > Thanks for prompt reply. > > > > The kernel versions are very close. Not really. RHEL kernels are vastly different than the old 2.6.32 kernel. In this case, the RHEL kernel gives some very very new information which didn't exist back in 2.6.37. Aka the 2.6.32 rhel kernel is 'newer' than the 2.6.37 suse kernel. Does that make sense? > Redhat: 2.6.32-431.11.2.el6.x86_64 > > Suse: 2.6.37.1-1.2-desktop > > > I have a scipt to correlate(for user friendly report) auditd > 2.2 > > version logs. It works on RedHat. > > We have suse 11.4 server running audit 2.0.5 version . > > > > I could not see any major log format difference between two > version. > > I see that there is nametype=NORMAL field difference at the > end of > > each line for version 2.2. This is a new key=value pair which tells your something about this particular name record. Imagine you called rename() and placed on file on top of another existing file. In old kernels you'd end up with about 4 different audit names. Old parent dir, new parent dir, old file moving, new file being unlink() because of the rename() on top of it. This field is supposed to help you figure out which of these audit names goes with which part of the syscall. Make sense?