Monitoring events
Steve
m6x at ornl.gov
Thu Jun 8 14:22:09 UTC 2006
>> Ideally, I would like to only capture (or parse) events pertaining to
>> rules I have created (since other system processes are using auditd as
>> well). Is there's any kind of identifier that ties events to rules?
> Which kernel are you using? Are your events only watches or do you care about
> syscall auditing as well (meaning you have set some syscall audit rules) ?
kernel-2.6.16-1.2212.2.8_FC6.lspp.34.i686 on Fedora Core 5
At the moment they are only watches, I may add others (syscall rules) later.
Thanks again,
Steve
More information about the Linux-audit
mailing list