* Excluding certain audit message types?
@ 2007-12-07 16:12 Paul Moore
2007-12-07 18:14 ` klausk
0 siblings, 1 reply; 4+ messages in thread
From: Paul Moore @ 2007-12-07 16:12 UTC (permalink / raw)
To: linux-audit
Hello friendly audit people,
I have a pretty simple question which I hope has a pretty simple answer. Is
it possible to exclude a specific audit message type from the audit log? The
auditctl man page looks like it might be possible using the syntax below but
I'm not sure ...
# auditctl -a exclude,always -F msgtype=1415
--
paul moore
linux security @ hp
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Excluding certain audit message types?
2007-12-07 16:12 Excluding certain audit message types? Paul Moore
@ 2007-12-07 18:14 ` klausk
2007-12-07 18:51 ` Paul Moore
0 siblings, 1 reply; 4+ messages in thread
From: klausk @ 2007-12-07 18:14 UTC (permalink / raw)
To: Paul Moore; +Cc: linux-audit, linux-audit-bounces
[-- Attachment #1.1: Type: text/plain, Size: 721 bytes --]
> Hello friendly audit people,
>
> I have a pretty simple question which I hope has a pretty simple answer.
Is
> it possible to exclude a specific audit message type from the audit log?
The
> auditctl man page looks like it might be possible using the syntax below
but
> I'm not sure ...
>
> # auditctl -a exclude,always -F msgtype=1415
>
yes, this is correct, but you may want to consider using the (usually more
meaningful) message type name instead:
# auditctl -a exclude,always -F msgtype=1112
or
# auditctl -a exclude,always -F msgtype=USER_LOGIN
Klaus
--
Klaus Heinrich Kiwi/Brazil/IBM <klausk@br.ibm.com>
Software Engineer
IBM STG, Linux Technology Center
Phone:(+55-19) 2132-1909 [T/L 839-1909]
[-- Attachment #1.2: Type: text/html, Size: 1074 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Excluding certain audit message types?
2007-12-07 18:14 ` klausk
@ 2007-12-07 18:51 ` Paul Moore
2007-12-07 18:58 ` klausk
0 siblings, 1 reply; 4+ messages in thread
From: Paul Moore @ 2007-12-07 18:51 UTC (permalink / raw)
To: klausk; +Cc: linux-audit, linux-audit-bounces
On Friday 07 December 2007 1:14:38 pm klausk@br.ibm.com wrote:
> > Hello friendly audit people,
> >
> > I have a pretty simple question which I hope has a pretty simple answer.
> > Is it possible to exclude a specific audit message type from the audit
> > log? The auditctl man page looks like it might be possible using the
> > syntax below but I'm not sure ...
> >
> > # auditctl -a exclude,always -F msgtype=1415
>
> yes, this is correct, but you may want to consider using the (usually more
> meaningful) message type name instead:
>
> # auditctl -a exclude,always -F msgtype=1112
> or
> # auditctl -a exclude,always -F msgtype=USER_LOGIN
Great, thanks for the tip.
BTW, what is the linux-audit-bounces list? Some majordomo magic?
--
paul moore
linux security @ hp
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Excluding certain audit message types?
2007-12-07 18:51 ` Paul Moore
@ 2007-12-07 18:58 ` klausk
0 siblings, 0 replies; 4+ messages in thread
From: klausk @ 2007-12-07 18:58 UTC (permalink / raw)
To: Paul Moore; +Cc: linux-audit, linux-audit-bounces
[-- Attachment #1.1: Type: text/plain, Size: 472 bytes --]
>
> BTW, what is the linux-audit-bounces list? Some majordomo magic?
You (and everyone else in this and other lists) will have to excuse me for
that - it's probably my mailer (Lotus Notes). I'm working on an external
mailer solution, though.
For the time being just ignore it (and the html part in my e-mails) =)
Klaus
--
Klaus Heinrich Kiwi/Brazil/IBM <klausk@br.ibm.com>
Software Engineer
IBM STG, Linux Technology Center
Phone:(+55-19) 2132-1909 [T/L 839-1909]
[-- Attachment #1.2: Type: text/html, Size: 704 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-12-07 18:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-12-07 16:12 Excluding certain audit message types? Paul Moore
2007-12-07 18:14 ` klausk
2007-12-07 18:51 ` Paul Moore
2007-12-07 18:58 ` klausk
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox