[PATCH 1/2] fix a bug that use option '-r' cannot output all unformatted logs
Peng Haitao
penght at cn.fujitsu.com
Tue Jul 29 10:07:15 UTC 2008
Hello Steve,
The log which message type is CONFIG_CHANGE does not contain "auid=" and exists
in /var/log/audit/audit.log, This will be OK or the log loses "auid="?
If you think this is OK, I will make a new patch.
Peng Haitao said the following on 2008-7-29 13:40:
> Hello Steve,
>
> Executing command "echo 'type=CONFIG_CHANGE msg=audit(1214114026.152:1641): op=updated rules specifying path="/home/pht/source/sys_temp" with dev=4294967295 ino=4294967295 list=-672208416 res=1' | ausearch -r", the output is NULL.
> The log is from /var/log/audit/audit.log and not modified.
>
> Signed-off-by: Peng Haitao <penght at cn.fujitsu.com>
> ---
> src/ausearch-parse.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
> index 141fdee..0c38be1 100755
> --- a/src/ausearch-parse.c
> +++ b/src/ausearch-parse.c
> @@ -1403,7 +1403,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
> // get loginuid
> str = strstr(n->message, "auid=");
> if (str == NULL)
> - return 1;
> + return 0;
> ptr = str + 5;
> term = strchr(ptr, ' ');
> if (term)
--
Regards
Peng Haitao
More information about the Linux-audit
mailing list