aulast only displaying reboot pseudo-users
Eric Paris
eparis at redhat.com
Mon Jun 16 21:28:02 UTC 2014
On Mon, 2014-06-16 at 17:24 -0400, Eric Paris wrote:
> On Mon, 2014-06-16 at 17:20 -0400, Eric Paris wrote:
>
> > I'd call this a pretty clear userspace bug where it just completely
> > drops records, even if it can't parse them...
>
> Definitely a userspace bug...
>
> [root at localhost eparis]# ausearch -m login
> <no matches>
> [root at localhost eparis]# cat /var/log/audit/audit.log | grep "type=LOGIN" | wc -l
> 14
> [root at localhost eparis]# uname -a
> Linux localhost.localdomain 3.14.4-200.fc20.x86_64 #1 SMP Tue May 13 13:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
> [root at localhost eparis]# rpm -q audit
> audit-2.3.7-1.fc20.x86_64
>
> type=LOGIN msg=audit(1402952461.125:37289): pid=30708 uid=0 old-auid=4294967295 new-auid=0 old-ses=4294967295 new-ses=137 res=1
>
> I get it that the parse doesn't know how to handle new-auid and new-ses,
> but just dropping the record really seems like a bad idea to me...
>
Ok, I'm finished chain e-mailing:
# cat /var/log/audit/audit.log | sed 's/new-auid/auid/' | sed 's/new-ses/ses/' | ausearch -m login
shows the records....
More information about the Linux-audit
mailing list