From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Duplicate audit event IDs Date: Thu, 6 Apr 2006 11:06:02 -0400 Message-ID: <200604061106.02733.sgrubb@redhat.com> References: <60D45469A1AAD311A04C009027B6BF6805E38768@server20.inside.oracorp.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <60D45469A1AAD311A04C009027B6BF6805E38768@server20.inside.oracorp.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday 06 April 2006 10:47, Steve Brueckner wrote: > What might cause this? The event ID can be recycled. Its the combination of time stamp and seria= l=20 number that creates uniqueness. > At some point my event IDs got reset (they didn't cycle that fast!). =C2= =A0I've > been playing quite a bit with the audit system so I'm not sure what cau= sed > it. =C2=A0Possibilities include:=20 > > =C2=A0- Restarting the auditd service Nope > =C2=A0- Rebooting the machine Yep > =C2=A0- Deleting the /var/log/audit/audit.log file Nope There can also be wrapping. > Or should this just plain not happen? =C2=A0 It can happen. > I'm on FC4 using kernel 2.6.12-1.1447_FC4xen0. =C2=A0I'm afraid I can't= easily > upgrade at the moment because I've build an entire system predicated on= old > versions of SELinux and Xen. You will likely have other problems on a kernel that old. I think 2.6.14 = was=20 when we really had most features in place and stable. > I also have a couple of other questions: > > =C2=A0- How large to audit event numbers get before they cycle back to = zero? I think its a u32 number. > =C2=A0- Is there any way to have ausearch only the most recent audit lo= g instead > of all logs? Sure, use the "-if" option and give it the full path to the file. ausearch -if /var/log/audit/audit.log -Steve