Ausearch message types

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

* Ausearch message types
@ 2011-04-12 22:59 Steve M. Zak
  2011-04-12 23:32 ` Steve Grubb
  0 siblings, 1 reply; 4+ messages in thread
From: Steve M. Zak @ 2011-04-12 22:59 UTC (permalink / raw)
  To: linux-audit@redhat.com

Hi,

Where can I find a definition list for the ausearch message types?  I didn't find anything on google or in the man page.

Steve Grubb referenced -m RESP_ACC_LOCK (account lockout) and -m USER_AUTH (user authentication)

I'd like to know what the other ones can do.

Thanks!


____________________________________________
Steve M. Zak, 



-- 
This email was Anti Virus checked by Astaro Security Gateway. http://www.astaro.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Ausearch message types
  2011-04-12 22:59 Ausearch message types Steve M. Zak
@ 2011-04-12 23:32 ` Steve Grubb
  0 siblings, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2011-04-12 23:32 UTC (permalink / raw)
  To: linux-audit

On Tuesday, April 12, 2011 06:59:59 PM Steve M. Zak wrote:
> Where can I find a definition list for the ausearch message types?  I
> didn't find anything on google or in the man page.

There is some text in the header files. Maybe not the ideal location but its there so
programmers have it when they look at the possible definitions. The main difference
between the headers and ausearch is ausearch does not make you type the AUDIT_ prefix.

https://fedorahosted.org/audit/browser/trunk/lib/libaudit.h#L40

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=include/linux/audit.h;h=9d339eb278810a36e8549bad93954f8d31636f44;hb=HEAD

-Steve

^ permalink raw reply	[flat|nested] 4+ messages in thread

* ausearch message types
@ 2016-10-31 23:21 LC Bruzenak
  2016-10-31 23:37 ` LC Bruzenak
  0 siblings, 1 reply; 4+ messages in thread
From: LC Bruzenak @ 2016-10-31 23:21 UTC (permalink / raw)
  To: linux-audit

I'm on the 2.4.5 version of the audit code.
Has anyone thought about or implemented a exclusionary message list, 
such as:

ausearch -m ALL-avc,user_avc -ts today

I'd like to be able to search in this manner, where I exclude certain 
message types.
I could write a patch, but if anyone has already done this I'd happily 
use theirs.
The message type list is so long that it would be painful to have the 
comma-delimited list of all but a couple.

Thx,
LCB

-- 
LC Bruzenak
magitekltd.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: ausearch message types
  2016-10-31 23:21 ausearch " LC Bruzenak
@ 2016-10-31 23:37 ` LC Bruzenak
  0 siblings, 0 replies; 4+ messages in thread
From: LC Bruzenak @ 2016-10-31 23:37 UTC (permalink / raw)
  To: linux-audit

On 10/31/2016 04:21 PM, LC Bruzenak wrote:
> I'm on the 2.4.5 version of the audit code.
> Has anyone thought about or implemented a exclusionary message list, 
> such as:
>
> ausearch -m ALL-avc,user_avc -ts today

Actually in this case I'm running the search from a script so I can 
easily take the stderr results from "ausearch -i -m help", pipe them 
into a sed substitution which removes the preceding text, removes the 
ones I don't want, and replaces the spaces with commas.
So for now I am set; still I think it would perhaps be helpful to have 
at some point.

-- 
LC Bruzenak
magitekltd.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-10-31 23:37 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-04-12 22:59 Ausearch message types Steve M. Zak
2011-04-12 23:32 ` Steve Grubb
  -- strict thread matches above, loose matches on Subject: below --
2016-10-31 23:21 ausearch " LC Bruzenak
2016-10-31 23:37 ` LC Bruzenak

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox