aureport summary
Steve Grubb
sgrubb at redhat.com
Wed May 28 23:42:50 UTC 2008
On Wednesday 28 May 2008 19:27:45 LC Bruzenak wrote:
> IIUC the last line - number of events - should be the sum of all the
> previous.
> However, adding up the events (barring OE) before that comes to 23791. I
> guess there are overlaps too - for example, the keys are possibly also
> in syscall events?
> Are some events missing on purpose?
Yes. Not every event falls into a category mentioned above. For example, on
login you have USER_ACCT and CRED_ACQ, both of which are not picked off and
highlighted. Just the USER_AUTH and USER_START get counted. There are others
like that all over.
So, the short answer is that there are no guarantees that they all add up and
yes there can be overlaps.
-Steve
More information about the Linux-audit
mailing list