How to identify failed syscalls
Steve Grubb
sgrubb at redhat.com
Fri Oct 25 12:41:54 UTC 2013
On Friday, October 25, 2013 06:26:20 AM Leam Hall wrote:
> Running aureport gives me a lot of failed syscalls. How do I identify
> what syscalls are failing and what is calling them?
Aureport's purpose is to give summary information. Ausearch gives detailed
information. To get what syscalls are failing, you can just run the "--syscall
--summary" report. To se what is calling them is a bit trickier. You can
isolate the events with ausearch and then pipe them to aureport for
summarizing:
ausearch --start today -m syscall -sv no --raw | aureport -x --summary
If you need to seethe individual events, then
ausearch --start today -m syscall -sv no -i
-Steve
More information about the Linux-audit
mailing list