Monitoring events

[Steve Grubb]

On Thursday 08 June 2006 09:55, Steve wrote:
> Ideally, I would like to only capture (or parse) events pertaining to
> rules I have created (since other system processes are using auditd as
> well).  Is there's any kind of identifier that ties events to rules?

Which kernel are you using? Are your events only watches or do you care about 
syscall auditing as well (meaning you have set some syscall audit rules) ?

-Steve