From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Paris Subject: Re: aulast only displaying reboot pseudo-users Date: Mon, 16 Jun 2014 17:28:02 -0400 Message-ID: <1402954082.11087.9.camel@localhost> References: <20140605000405.687f6ad7@fornost.bigon.be> <11400116.CdDq4vnLvl@x2> <20140605004239.1724bbe8@fornost.bigon.be> <1487476.CjeIAT3yaP@x2> <20140605193404.079be96c@fornost.bigon.be> <20140614135319.18680d6f@fornost.bigon.be> <1402953610.11087.5.camel@localhost> <1402953852.11087.7.camel@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1402953852.11087.7.camel@localhost> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Laurent Bigonville Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Mon, 2014-06-16 at 17:24 -0400, Eric Paris wrote: > On Mon, 2014-06-16 at 17:20 -0400, Eric Paris wrote: > > > I'd call this a pretty clear userspace bug where it just completely > > drops records, even if it can't parse them... > > Definitely a userspace bug... > > [root@localhost eparis]# ausearch -m login > > [root@localhost eparis]# cat /var/log/audit/audit.log | grep "type=LOGIN" | wc -l > 14 > [root@localhost eparis]# uname -a > Linux localhost.localdomain 3.14.4-200.fc20.x86_64 #1 SMP Tue May 13 13:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux > [root@localhost eparis]# rpm -q audit > audit-2.3.7-1.fc20.x86_64 > > type=LOGIN msg=audit(1402952461.125:37289): pid=30708 uid=0 old-auid=4294967295 new-auid=0 old-ses=4294967295 new-ses=137 res=1 > > I get it that the parse doesn't know how to handle new-auid and new-ses, > but just dropping the record really seems like a bad idea to me... > Ok, I'm finished chain e-mailing: # cat /var/log/audit/audit.log | sed 's/new-auid/auid/' | sed 's/new-ses/ses/' | ausearch -m login shows the records....