* Full path of the filename not showing up in audit logs for some entries in aureport -f
@ 2017-02-28 2:05 Kaptaan
2017-03-09 19:30 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Kaptaan @ 2017-02-28 2:05 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 5509 bytes --]
Hello,
I have set some file monitoring audit rules on a directory and the audit log shows some entries like
ausearch -if $LOGDIR -a 448424 -i
NOTE - using logs in /qdap01/tax/logs/audit.log
----
type=PATH msg=audit(02/27/2017 13:50:13.917:448424) : item=1 name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG.tax.41.tmp1 inode=6581 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00 nametype=CREATE
type=PATH msg=audit(02/27/2017 13:50:13.917:448424) : item=0 name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770 ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT
type=CWD msg=audit(02/27/2017 13:50:13.917:448424) : cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635
type=SYSCALL msg=audit(02/27/2017 13:50:13.917:448424) : arch=i386 syscall=open success=yes exit=5 a0=0x8be40c0 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0777 a3=0x0 items=2 ppid=635 pid=677 auid=rmoroncelli uid=akatekar gid=mfradmin euid=akatekar suid=akatekar fsuid=akatekar egid=mfradmin sgid=mfradmin fsgid=mfradmin tty=(none) ses=219531 comm=EXECPGM exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/EXECPGM key=DFS_DATA
ausearch -if $LOGDIR -a 448424 --raw | aureport -i -f
NOTE - using logs in /qdap01/tax/logs/audit.log
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 02/27/2017 13:50:13 /qdap01/tax/data/seqfiles/DFS/ open yes /qdap01/tax/ebmnode/bpe12.7.9/public/utilm/EXECPGM rmoroncelli 448424
As you can see the full path of the file is available for the audit event, but yet the aureport -f does not show the complete file name. Any idea why this is happening and what should I do to get the full path as given in item1. It seems for some reason, it always gives the filename in item0.
I have another entry where the inode is present but the name is (null).
ausearch -if $LOGDIR -a 448425 -i
NOTE - using logs in /qdap01/tax/logs/audit.log
----
type=PATH msg=audit(02/27/2017 13:50:14.862:448425) : item=1 name=(null) inode=6581 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00 nametype=NORMAL
type=PATH msg=audit(02/27/2017 13:50:14.862:448425) : item=0 name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770 ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT
type=CWD msg=audit(02/27/2017 13:50:14.862:448425) : cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635
type=SYSCALL msg=audit(02/27/2017 13:50:14.862:448425) : arch=i386 syscall=open success=yes exit=5 a0=0x914552a a1=O_WRONLY|O_CREAT|O_TRUNC a2=0777 a3=0x0 items=2 ppid=677 pid=803 auid=rmoroncelli uid=akatekar gid=mfradmin euid=akatekar suid=akatekar fsuid=akatekar egid=mfradmin sgid=mfradmin fsgid=mfradmin tty=(none) ses=219531 comm=IEBGENER exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/IEBGENER key=DFS_DATA
ausearch -if $LOGDIR -a 448425 --raw | aureport -i -f
NOTE - using logs in /qdap01/tax/logs/audit.log
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 02/27/2017 13:50:14 /qdap01/tax/data/seqfiles/DFS/ open yes /qdap01/tax/ebmnode/bpe12.7.9/public/utilm/IEBGENER rmoroncelli 448425
Why is this coming as null for item1?
Another entry has a rename SYSCALL, which comes out
ausearch -if $LOGDIR -a 448427 -i
NOTE - using logs in /qdap01/tax/logs/audit.log
----
type=PATH msg=audit(02/27/2017 13:50:14.939:448427) : item=3 name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG_08 inode=6703 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00 nametype=CREATE
type=PATH msg=audit(02/27/2017 13:50:14.939:448427) : item=2 name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG_07 inode=6703 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00 nametype=DELETE
type=PATH msg=audit(02/27/2017 13:50:14.939:448427) : item=1 name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770 ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT
type=PATH msg=audit(02/27/2017 13:50:14.939:448427) : item=0 name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770 ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT
type=CWD msg=audit(02/27/2017 13:50:14.939:448427) : cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635
type=SYSCALL msg=audit(02/27/2017 13:50:14.939:448427) : arch=i386 syscall=rename success=yes exit=0 a0=0xfff3b160 a1=0xfff3ad60 a2=0x7 a3=0xfff3b160 items=4 ppid=840 pid=843 auid=rmoroncelli uid=akatekar gid=mfradmin euid=akatekar suid=akatekar fsuid=akatekar egid=mfradmin sgid=mfradmin fsgid=mfradmin tty=(none) ses=219531 comm=gdgen exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/gdgen key=DFS_DATA
ausearch -if $LOGDIR -a 448427 -r | aureport -i -f
NOTE - using logs in /qdap01/tax/logs/audit.log
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 02/27/2017 13:50:14 /qdap01/tax/data/seqfiles/DFS/ rename yes /qdap01/tax/ebmnode/bpe12.7.9/public/utilm/gdgen rmoroncelli 448427
How can we get both the filenames (in item3 and item2) in the aureport?
Finally, can we have uid come out in the aureport along with auid? Any option/arguments that might help?
Sorry, if this has already been asked many times, but I did not get my answers with the limited search that I did.
Thanks in advance for the help.
Regards,
Amit Katekar.
Sent with [ProtonMail](https://protonmail.com) Secure Email.
[-- Attachment #1.2: Type: text/html, Size: 6869 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Full path of the filename not showing up in audit logs for some entries in aureport -f
2017-02-28 2:05 Full path of the filename not showing up in audit logs for some entries in aureport -f Kaptaan
@ 2017-03-09 19:30 ` Steve Grubb
2017-03-28 2:22 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2017-03-09 19:30 UTC (permalink / raw)
To: linux-audit, Kaptaan
Hello,
On Monday, February 27, 2017 9:05:18 PM EST Kaptaan wrote:
> I have set some file monitoring audit rules on a directory and the audit log
> shows some entries like
>
> ausearch -if $LOGDIR -a 448424 -i
> NOTE - using logs in /qdap01/tax/logs/audit.log
> ----
> type=PATH msg=audit(02/27/2017 13:50:13.917:448424) : item=1
> name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG.tax.41.tmp1
> inode=6581 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00
> nametype=CREATE type=PATH msg=audit(02/27/2017 13:50:13.917:448424) :
> item=0 name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770
> ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT type=CWD
> msg=audit(02/27/2017 13:50:13.917:448424) :
> cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635 type=SYSCALL
> msg=audit(02/27/2017 13:50:13.917:448424) : arch=i386 syscall=open
> success=yes exit=5 a0=0x8be40c0 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0777 a3=0x0
> items=2 ppid=635 pid=677 auid=rmoroncelli uid=akatekar gid=mfradmin
> euid=akatekar suid=akatekar fsuid=akatekar egid=mfradmin sgid=mfradmin
> fsgid=mfradmin tty=(none) ses=219531 comm=EXECPGM
> exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/EXECPGM key=DFS_DATA
>
> ausearch -if $LOGDIR -a 448424 --raw | aureport -i -f
> NOTE - using logs in /qdap01/tax/logs/audit.log
>
> File Report
> ===============================================
> # date time file syscall success exe auid event
> ===============================================
> 1. 02/27/2017 13:50:13 /qdap01/tax/data/seqfiles/DFS/ open yes
> /qdap01/tax/ebmnode/bpe12.7.9/public/utilm/EXECPGM rmoroncelli 448424
>
> As you can see the full path of the file is available for the audit event,
> but yet the aureport -f does not show the complete file name. Any idea why
> this is happening and what should I do to get the full path as given in
> item1. It seems for some reason, it always gives the filename in item0.
A long time ago, the kernel only produced one PATH record. So, aureport
printed one PATH record. Ausearch and Aureport share the same record parser.
At some point in the past, it was decided that we are going to get multiple
PATH records that describe different things about the event. So, work was done
in the parser to locate all of the pieces for searching. But work was not done
on the aureport file report. So, what you are seing is the first PATH record
which is the directory.
> I have another entry where the inode is present but the name is (null).
>
> ausearch -if $LOGDIR -a 448425 -i
> NOTE - using logs in /qdap01/tax/logs/audit.log
> ----
> type=PATH msg=audit(02/27/2017 13:50:14.862:448425) : item=1 name=(null)
> inode=6581 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00
> nametype=NORMAL type=PATH msg=audit(02/27/2017 13:50:14.862:448425) :
> item=0 name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770
> ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT type=CWD
> msg=audit(02/27/2017 13:50:14.862:448425) :
> cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635 type=SYSCALL
> msg=audit(02/27/2017 13:50:14.862:448425) : arch=i386 syscall=open
> success=yes exit=5 a0=0x914552a a1=O_WRONLY|O_CREAT|O_TRUNC a2=0777 a3=0x0
> items=2 ppid=677 pid=803 auid=rmoroncelli uid=akatekar gid=mfradmin
> euid=akatekar suid=akatekar fsuid=akatekar egid=mfradmin sgid=mfradmin
> fsgid=mfradmin tty=(none) ses=219531 comm=IEBGENER
> exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/IEBGENER key=DFS_DATA
>
> ausearch -if $LOGDIR -a 448425 --raw | aureport -i -f
> NOTE - using logs in /qdap01/tax/logs/audit.log
>
> File Report
> ===============================================
> # date time file syscall success exe auid event
> ===============================================
> 1. 02/27/2017 13:50:14 /qdap01/tax/data/seqfiles/DFS/ open yes
> /qdap01/tax/ebmnode/bpe12.7.9/public/utilm/IEBGENER rmoroncelli 448425
>
> Why is this coming as null for item1?
I couldn't tell you the exact reason, but its something along the lines of the
name was not available. You might say, isn't the name one of the parameters
passed to the open syscall? And I'd say yep. Maybe one of these days it will
get used when path name resolution fails.
> Another entry has a rename SYSCALL, which comes out
>
> ausearch -if $LOGDIR -a 448427 -i
> NOTE - using logs in /qdap01/tax/logs/audit.log
> ----
> type=PATH msg=audit(02/27/2017 13:50:14.939:448427) : item=3
> name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG_08 inode=6703
> dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00
> nametype=CREATE type=PATH msg=audit(02/27/2017 13:50:14.939:448427) :
> item=2 name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG_07
> inode=6703 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00
> nametype=DELETE type=PATH msg=audit(02/27/2017 13:50:14.939:448427) :
> item=1 name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770
> ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT type=PATH
> msg=audit(02/27/2017 13:50:14.939:448427) : item=0
> name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770
> ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT type=CWD
> msg=audit(02/27/2017 13:50:14.939:448427) :
> cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635 type=SYSCALL
> msg=audit(02/27/2017 13:50:14.939:448427) : arch=i386 syscall=rename
> success=yes exit=0 a0=0xfff3b160 a1=0xfff3ad60 a2=0x7 a3=0xfff3b160 items=4
> ppid=840 pid=843 auid=rmoroncelli uid=akatekar gid=mfradmin euid=akatekar
> suid=akatekar fsuid=akatekar egid=mfradmin sgid=mfradmin fsgid=mfradmin
> tty=(none) ses=219531 comm=gdgen
> exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/gdgen key=DFS_DATA
>
>
> ausearch -if $LOGDIR -a 448427 -r | aureport -i -f
> NOTE - using logs in /qdap01/tax/logs/audit.log
>
> File Report
> ===============================================
> # date time file syscall success exe auid event
> ===============================================
> 1. 02/27/2017 13:50:14 /qdap01/tax/data/seqfiles/DFS/ rename yes
> /qdap01/tax/ebmnode/bpe12.7.9/public/utilm/gdgen rmoroncelli 448427
>
> How can we get both the filenames (in item3 and item2) in the aureport?
Aureport has never supported that. I'd say that perhaps it should be changed
to skip parent records if the other ones don't have (null).
> Finally, can we have uid come out in the aureport along with auid? Any
> option/arguments that might help?
Nope. That would take reworking the output of aureport.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Full path of the filename not showing up in audit logs for some entries in aureport -f
2017-03-09 19:30 ` Steve Grubb
@ 2017-03-28 2:22 ` Steve Grubb
0 siblings, 0 replies; 3+ messages in thread
From: Steve Grubb @ 2017-03-28 2:22 UTC (permalink / raw)
To: linux-audit; +Cc: Kaptaan
On Thursday, March 9, 2017 2:30:33 PM EDT Steve Grubb wrote:
> Hello,
>
> On Monday, February 27, 2017 9:05:18 PM EST Kaptaan wrote:
> > I have set some file monitoring audit rules on a directory and the audit
> > log shows some entries like
> >
> > ausearch -if $LOGDIR -a 448424 -i
> > NOTE - using logs in /qdap01/tax/logs/audit.log
> > ----
> > type=PATH msg=audit(02/27/2017 13:50:13.917:448424) : item=1
> > name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG.tax.41.tmp1
> > inode=6581 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00
> > nametype=CREATE type=PATH msg=audit(02/27/2017 13:50:13.917:448424) :
> > item=0 name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770
> > ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT type=CWD
> > msg=audit(02/27/2017 13:50:13.917:448424) :
> > cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635 type=SYSCALL
> > msg=audit(02/27/2017 13:50:13.917:448424) : arch=i386 syscall=open
> > success=yes exit=5 a0=0x8be40c0 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0777 a3=0x0
> > items=2 ppid=635 pid=677 auid=rmoroncelli uid=akatekar gid=mfradmin
> > euid=akatekar suid=akatekar fsuid=akatekar egid=mfradmin sgid=mfradmin
> > fsgid=mfradmin tty=(none) ses=219531 comm=EXECPGM
> > exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/EXECPGM key=DFS_DATA
> >
> > ausearch -if $LOGDIR -a 448424 --raw | aureport -i -f
> > NOTE - using logs in /qdap01/tax/logs/audit.log
> >
> > File Report
> > ===============================================
> > # date time file syscall success exe auid event
> > ===============================================
> > 1. 02/27/2017 13:50:13 /qdap01/tax/data/seqfiles/DFS/ open yes
> > /qdap01/tax/ebmnode/bpe12.7.9/public/utilm/EXECPGM rmoroncelli 448424
> >
> > As you can see the full path of the file is available for the audit event,
> > but yet the aureport -f does not show the complete file name. Any idea why
> > this is happening and what should I do to get the full path as given in
> > item1. It seems for some reason, it always gives the filename in item0.
>
> A long time ago, the kernel only produced one PATH record. So, aureport
> printed one PATH record. Ausearch and Aureport share the same record parser.
> At some point in the past, it was decided that we are going to get multiple
> PATH records that describe different things about the event. So, work was
> done in the parser to locate all of the pieces for searching. But work was
> not done on the aureport file report. So, what you are seing is the first
> PATH record which is the directory.
>
> > I have another entry where the inode is present but the name is (null).
> >
> > ausearch -if $LOGDIR -a 448425 -i
> > NOTE - using logs in /qdap01/tax/logs/audit.log
> > ----
> > type=PATH msg=audit(02/27/2017 13:50:14.862:448425) : item=1 name=(null)
> > inode=6581 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00
> > nametype=NORMAL type=PATH msg=audit(02/27/2017 13:50:14.862:448425) :
> > item=0 name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770
> > ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT type=CWD
> > msg=audit(02/27/2017 13:50:14.862:448425) :
> > cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635 type=SYSCALL
> > msg=audit(02/27/2017 13:50:14.862:448425) : arch=i386 syscall=open
> > success=yes exit=5 a0=0x914552a a1=O_WRONLY|O_CREAT|O_TRUNC a2=0777 a3=0x0
> > items=2 ppid=677 pid=803 auid=rmoroncelli uid=akatekar gid=mfradmin
> > euid=akatekar suid=akatekar fsuid=akatekar egid=mfradmin sgid=mfradmin
> > fsgid=mfradmin tty=(none) ses=219531 comm=IEBGENER
> > exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/IEBGENER key=DFS_DATA
> >
> > ausearch -if $LOGDIR -a 448425 --raw | aureport -i -f
> > NOTE - using logs in /qdap01/tax/logs/audit.log
> >
> > File Report
> > ===============================================
> > # date time file syscall success exe auid event
> > ===============================================
> > 1. 02/27/2017 13:50:14 /qdap01/tax/data/seqfiles/DFS/ open yes
> > /qdap01/tax/ebmnode/bpe12.7.9/public/utilm/IEBGENER rmoroncelli 448425
> >
> > Why is this coming as null for item1?
>
> I couldn't tell you the exact reason, but its something along the lines of
> the name was not available. You might say, isn't the name one of the
> parameters passed to the open syscall? And I'd say yep. Maybe one of these
> days it will get used when path name resolution fails.
>
> > Another entry has a rename SYSCALL, which comes out
> >
> > ausearch -if $LOGDIR -a 448427 -i
> > NOTE - using logs in /qdap01/tax/logs/audit.log
> > ----
> > type=PATH msg=audit(02/27/2017 13:50:14.939:448427) : item=3
> > name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG_08 inode=6703
> > dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00
> > nametype=CREATE type=PATH msg=audit(02/27/2017 13:50:14.939:448427) :
> > item=2 name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG_07
> > inode=6703 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00
> > nametype=DELETE type=PATH msg=audit(02/27/2017 13:50:14.939:448427) :
> > item=1 name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770
> > ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT type=PATH
> > msg=audit(02/27/2017 13:50:14.939:448427) : item=0
> > name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770
> > ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT type=CWD
> > msg=audit(02/27/2017 13:50:14.939:448427) :
> > cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635 type=SYSCALL
> > msg=audit(02/27/2017 13:50:14.939:448427) : arch=i386 syscall=rename
> > success=yes exit=0 a0=0xfff3b160 a1=0xfff3ad60 a2=0x7 a3=0xfff3b160
> > items=4
> > ppid=840 pid=843 auid=rmoroncelli uid=akatekar gid=mfradmin euid=akatekar
> > suid=akatekar fsuid=akatekar egid=mfradmin sgid=mfradmin fsgid=mfradmin
> > tty=(none) ses=219531 comm=gdgen
> > exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/gdgen key=DFS_DATA
> >
> >
> > ausearch -if $LOGDIR -a 448427 -r | aureport -i -f
> > NOTE - using logs in /qdap01/tax/logs/audit.log
> >
> > File Report
> > ===============================================
> > # date time file syscall success exe auid event
> > ===============================================
> > 1. 02/27/2017 13:50:14 /qdap01/tax/data/seqfiles/DFS/ rename yes
> > /qdap01/tax/ebmnode/bpe12.7.9/public/utilm/gdgen rmoroncelli 448427
> >
> > How can we get both the filenames (in item3 and item2) in the aureport?
>
> Aureport has never supported that. I'd say that perhaps it should be changed
> to skip parent records if the other ones don't have (null).
This has been put into the next release which should go out tomorrow. It will
now pick the first non-parent record. This should be closer to what you want.
-Steve
> > Finally, can we have uid come out in the aureport along with auid? Any
> > option/arguments that might help?
>
> Nope. That would take reworking the output of aureport.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-03-28 2:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-02-28 2:05 Full path of the filename not showing up in audit logs for some entries in aureport -f Kaptaan
2017-03-09 19:30 ` Steve Grubb
2017-03-28 2:22 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.