From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: How to identify failed syscalls
Date: Fri, 25 Oct 2013 08:41:54 -0400
Message-ID: <3034442.P6g9D14k2P@x2>
References: <526A474C.1010902@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <526A474C.1010902@gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday, October 25, 2013 06:26:20 AM Leam Hall wrote:
> Running aureport gives me a lot of failed syscalls. How do I identify
> what syscalls are failing and what is calling them?

Aureport's purpose is to give summary information. Ausearch gives detailed 
information. To get what syscalls are failing, you can just run the "--syscall 
--summary" report. To se what is calling them is a bit trickier. You can 
isolate the events with ausearch and then pipe them to aureport for 
summarizing:

ausearch --start today -m syscall -sv no --raw | aureport -x --summary

If you need to seethe individual events, then 

ausearch --start today -m syscall -sv no -i

-Steve