[PATCH] Add End of Event record
Steve Grubb
sgrubb at redhat.com
Thu Sep 27 21:39:57 UTC 2007
On Thursday 27 September 2007 13:18:35 Todd, Charles wrote:
> 3. Administrative records are passed, perhaps at dispatchers startup and
> at the start of a file when rotated, that documents which version of
> auditd, uname -r, output of gnu_get_libc_version(), and the local system
> date/time.
I updated the DAEMON_START record to be like this:
type=DAEMON_START msg=audit(09/27/2007 13:18:04.858:8081) : auditd start,
ver=1.6.3 format=raw kernel=2.6.23-0.202.rc8.fc8 auid=root pid=28173
res=success
So, 1.6.3 and later will have the kernel version & release.
-Steve
More information about the Linux-audit
mailing list