How to read audit log?
Todd, Charles
CTODD at ball.com
Tue Sep 25 17:47:34 UTC 2007
> -----Original Message-----
> It also assembles the records into an
> event before presenting them. It interprets some of the data
> so that its more usable even if you don't ask for a full
> interpretation.
>
> -Steve
Steve,
On my 1.0.15 installation, I did some quick scraping to see if audit
trail records could be split after ausearch was done processing them,
and yes, they can be split. I'm fine with the the raw logs not
necessarily being joined, but this was the output from ausearch. It did
it even when I asked for the split record by event id, that is, it still
split them into separate records. I estimate that this is really only
for about 0.5% of the records though, and it may be tied to my
particular version.
This does make it difficult to know that I haven't missed anything.
Thanks,
Charlie Todd
Ball Aerospace & Technologies Corp.
This message and any enclosures are intended only for the addressee. Please
notify the sender by email if you are not the intended recipient. If you are
not the intended recipient, you may not use, copy, disclose, or distribute this
message or its contents or enclosures to any other person and any such actions
may be unlawful. Ball reserves the right to monitor and review all messages
and enclosures sent to or from this email address.
More information about the Linux-audit
mailing list