datastructures sent by auditSubsystem to audit daemon
Steve Grubb
sgrubb at redhat.com
Thu Dec 13 11:35:51 UTC 2007
On Thursday 13 December 2007 03:23:34 Abhishek Gupta wrote:
> Which are the specific datastructures(containing various fields such as
> events,etc) that is sent by auditSubsystem to audit daemon?
Its not a data structure. The kernel sends a text string to the audit daemon
via the netlink interface. The audit daemon takes the message type number and
looks it up to get the text string for that type and substitutes that when it
writes to disk so that its a little more friendly to view.
> And in which file they are present..
Typically, they are written to /var/log/audit/audit.log. You can see the
messages there and they are basically unaltered.
-Steve
More information about the Linux-audit
mailing list