missing avc message field names
Karl MacMillan
kmacmillan at mentalrootkit.com
Wed Jan 31 00:50:52 UTC 2007
James Antill wrote:
> On Tue, 2007-01-30 at 09:49 -0500, Karl MacMillan wrote:
>> Steve Grubb wrote:
>>> ausearch -m all --raw | grep anything you want
>> tail -f happens to be my favorite counter example, but I am certain
>> there are other useful tricks for monitoring logs that will break. Not
>> to mention the number of log monitoring and aggregation tools that
>> assume text logs.
>
> To be fair the new audit dispatcher already has a plugin that does the
> same thing as "tail -f" without needing to call stat(), and that'll be
> released before auditd has binary logs ... although one could certainly
> argue that it's not as obvious, it seems like a small price.
>
So you will have that wheel reinvented soon - that still leaves many,
many more that you have no control over.
Karl
More information about the Linux-audit
mailing list