missing avc message field names
James Antill
jantill at redhat.com
Tue Jan 30 22:53:08 UTC 2007
On Tue, 2007-01-30 at 09:49 -0500, Karl MacMillan wrote:
> Steve Grubb wrote:
> > ausearch -m all --raw | grep anything you want
>
> tail -f happens to be my favorite counter example, but I am certain
> there are other useful tricks for monitoring logs that will break. Not
> to mention the number of log monitoring and aggregation tools that
> assume text logs.
To be fair the new audit dispatcher already has a plugin that does the
same thing as "tail -f" without needing to call stat(), and that'll be
released before auditd has binary logs ... although one could certainly
argue that it's not as obvious, it seems like a small price.
--
James Antill <jantill at redhat.com>
More information about the Linux-audit
mailing list