From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: ausearch message types Date: Mon, 31 Oct 2016 16:21:02 -0700 Message-ID: <5817D1DE.7040909@magitekltd.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com [10.5.110.29]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u9VNL5lZ016541 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Mon, 31 Oct 2016 19:21:05 -0400 Received: from mail-pf0-f171.google.com (mail-pf0-f171.google.com [209.85.192.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3539A31B30F for ; Mon, 31 Oct 2016 23:21:04 +0000 (UTC) Received: by mail-pf0-f171.google.com with SMTP id s8so83761329pfj.2 for ; Mon, 31 Oct 2016 16:21:04 -0700 (PDT) Received: from [172.18.0.177] ([4.30.56.154]) by smtp.gmail.com with ESMTPSA id g78sm37843735pfe.19.2016.10.31.16.21.02 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 31 Oct 2016 16:21:02 -0700 (PDT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com I'm on the 2.4.5 version of the audit code. Has anyone thought about or implemented a exclusionary message list, such as: ausearch -m ALL-avc,user_avc -ts today I'd like to be able to search in this manner, where I exclude certain message types. I could write a patch, but if anyone has already done this I'd happily use theirs. The message type list is so long that it would be painful to have the comma-delimited list of all but a couple. Thx, LCB -- LC Bruzenak magitekltd.com