Using audit for service monitoring...
Steve Grubb
sgrubb at redhat.com
Thu Sep 28 20:46:46 UTC 2006
On Thursday 28 September 2006 16:29, Randy Zagar wrote:
> More importantly, is this an appropriate use of the audit subsystem, or
> should I be doing this some other way?
Generally, the audit system is used for logging security relevant artifacts.
But its been used for bootup readahead analysis, too. So, you could use it
for this, but you might get more data than you want. Try it and see.
> If this is the right way to do it, how can I easily determine which
> syscalls can return ESTALE? Using '-S all' seems wasteful...
Maybe you can try "auditctl -a exit,always -F perm=all -F exit=-13"
perm selects filesystem classes of syscalls.
-Steve
More information about the Linux-audit
mailing list