Why aren't SYSCALLS being logged in CentOS kernel (any ideas?)

Fri Aug 31 16:02:43 UTC 2007

On Friday 31 August 2007 11:40:07 Robert Evans wrote:
> I'm using CentOS, kernel 2.6.18-8.el5.  I've compiled audit-1.5.6-1 and I'm
> getting USER_AUTH events (logins, su, etc...) but I'm not seeing any
> syscall events.
>
> Any ideas?

Offhand, the rules look Ok. If you can list them back out "auditctl -l" that 
means that the syscall auditing part of the kernel is compiled in and 
partially working. Other than that, I have no idea - I don't use their 
kernel.

-Steve