From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: audit 1.7.4 released
Date: Tue, 27 May 2008 13:15:36 -0400
Message-ID: <200805271315.36790.sgrubb@redhat.com>
References: <200805191450.06153.sgrubb@redhat.com>
	<1211904978.6568.53.camel@homeserver>
	<1211907448.17805.1.camel@klausk.br.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1211907448.17805.1.camel@klausk.br.ibm.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Tuesday 27 May 2008 12:57:28 Klaus Heinrich Kiwi wrote:
> On Tue, 2008-05-27 at 11:16 -0500, LC Bruzenak wrote:
> > On Tue, 2008-05-27 at 12:10 -0400, Steve Grubb wrote:
> > ...
> >
> > > > Once we aggregate these would be tough to separate.
> > >
> > > That is why we added the node field. :)  You should probably enable it
> > > with the name_format option.
> >
> > I think I do have it:
> >
> > [root@hugo audit]# grep name_format /etc/audit/auditd.conf
> > name_format = hostname
>
> Isn't the audit dispatcher's role of adding the node name in the record?
> If so, only records going through the audispd would have this field.

People may want the node name on disk as well as associated with events in the 
real time stream. So, there are separate enablers.

-Steve