no node= in ausearch
LC Bruzenak
lenny at magitekltd.com
Sat Sep 13 01:40:23 UTC 2008
On Fri, 2008-09-12 at 20:05 -0400, DJ Delorie wrote:
> > Just as an aside, I was sending in the auditctl event because I do not
> > see the "node=" information in the ausearch results on my collector.
> > So I wasn't certain which machine might be initiating the event.
>
> Locally generated events won't have the node= (at least, on my machine
> they don't). Remotely generated events should have the node= on them.
I thought there was a distinction as to where it was assigned, as in
auditd.conf vice audispd.conf. The raw data (in the log) does have it
locally.
So anyway, if I see no node= events in the collector I know that it
isn't getting any events.
Also the sender's audispd sends log messages saying the queue is full
and it must drop the events.
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list