datastructures sent by auditSubsystem to audit daemon

Steve Grubb sgrubb at redhat.com
Thu Dec 13 11:35:51 UTC 2007


On Thursday 13 December 2007 03:23:34 Abhishek Gupta wrote:
> Which are the specific datastructures(containing various fields such as
> events,etc) that is sent by auditSubsystem to audit daemon?

Its not a data structure. The kernel sends a text string to the audit daemon 
via the netlink interface. The audit daemon takes the message type number and 
looks it up to get the text string for that type and substitutes that when it 
writes to disk so that its a little more friendly to view.

> And in which file they are present..

Typically, they are written to /var/log/audit/audit.log. You can see the 
messages there and they are basically unaltered.

-Steve




More information about the Linux-audit mailing list