* Ausearch message types
@ 2011-04-12 22:59 Steve M. Zak
2011-04-12 23:32 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: Steve M. Zak @ 2011-04-12 22:59 UTC (permalink / raw)
To: linux-audit@redhat.com
Hi,
Where can I find a definition list for the ausearch message types? I didn't find anything on google or in the man page.
Steve Grubb referenced -m RESP_ACC_LOCK (account lockout) and -m USER_AUTH (user authentication)
I'd like to know what the other ones can do.
Thanks!
____________________________________________
Steve M. Zak,
--
This email was Anti Virus checked by Astaro Security Gateway. http://www.astaro.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Ausearch message types
2011-04-12 22:59 Ausearch " Steve M. Zak
@ 2011-04-12 23:32 ` Steve Grubb
0 siblings, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2011-04-12 23:32 UTC (permalink / raw)
To: linux-audit
On Tuesday, April 12, 2011 06:59:59 PM Steve M. Zak wrote:
> Where can I find a definition list for the ausearch message types? I
> didn't find anything on google or in the man page.
There is some text in the header files. Maybe not the ideal location but its there so
programmers have it when they look at the possible definitions. The main difference
between the headers and ausearch is ausearch does not make you type the AUDIT_ prefix.
https://fedorahosted.org/audit/browser/trunk/lib/libaudit.h#L40
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=include/linux/audit.h;h=9d339eb278810a36e8549bad93954f8d31636f44;hb=HEAD
-Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
* ausearch message types
@ 2016-10-31 23:21 LC Bruzenak
2016-10-31 23:37 ` LC Bruzenak
0 siblings, 1 reply; 4+ messages in thread
From: LC Bruzenak @ 2016-10-31 23:21 UTC (permalink / raw)
To: linux-audit
I'm on the 2.4.5 version of the audit code.
Has anyone thought about or implemented a exclusionary message list,
such as:
ausearch -m ALL-avc,user_avc -ts today
I'd like to be able to search in this manner, where I exclude certain
message types.
I could write a patch, but if anyone has already done this I'd happily
use theirs.
The message type list is so long that it would be painful to have the
comma-delimited list of all but a couple.
Thx,
LCB
--
LC Bruzenak
magitekltd.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ausearch message types
2016-10-31 23:21 ausearch message types LC Bruzenak
@ 2016-10-31 23:37 ` LC Bruzenak
0 siblings, 0 replies; 4+ messages in thread
From: LC Bruzenak @ 2016-10-31 23:37 UTC (permalink / raw)
To: linux-audit
On 10/31/2016 04:21 PM, LC Bruzenak wrote:
> I'm on the 2.4.5 version of the audit code.
> Has anyone thought about or implemented a exclusionary message list,
> such as:
>
> ausearch -m ALL-avc,user_avc -ts today
Actually in this case I'm running the search from a script so I can
easily take the stderr results from "ausearch -i -m help", pipe them
into a sed substitution which removes the preceding text, removes the
ones I don't want, and replaces the spaces with commas.
So for now I am set; still I think it would perhaps be helpful to have
at some point.
--
LC Bruzenak
magitekltd.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-10-31 23:37 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-31 23:21 ausearch message types LC Bruzenak
2016-10-31 23:37 ` LC Bruzenak
-- strict thread matches above, loose matches on Subject: below --
2011-04-12 22:59 Ausearch " Steve M. Zak
2011-04-12 23:32 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox