Monitoring events
Steve Grubb
sgrubb at redhat.com
Thu Jun 8 14:04:16 UTC 2006
On Thursday 08 June 2006 09:55, Steve wrote:
> Ideally, I would like to only capture (or parse) events pertaining to
> rules I have created (since other system processes are using auditd as
> well). Is there's any kind of identifier that ties events to rules?
Which kernel are you using? Are your events only watches or do you care about
syscall auditing as well (meaning you have set some syscall audit rules) ?
-Steve
More information about the Linux-audit
mailing list