Audit record emission
Linda Knippers
linda.knippers at hp.com
Thu May 5 19:52:34 UTC 2005
Steve Grubb wrote:
> It basically says that audit records may be emitted as event records are
> generated as opposed to syscall exit. The problem shows up during stress
> testing. The records that get sent from the kernel are no where close to each
> other and are hard to correlate.
I've been using ausearch to find things and it seems to do a nice
job of putting the pieces together. Maybe we need an option to
dump everything, or maybe have an aucat command? Or are you finding
that under the stress testing, the ausearch command doesn't work well
because the records are so far apart?
-- ljk
More information about the Linux-audit
mailing list