(no subject)
Steve Grubb
sgrubb at redhat.com
Sat Jan 12 14:55:30 UTC 2008
On Saturday 12 January 2008 08:45:09 Abhishek Gupta wrote:
> msg=audit(1116360555.329:2401771).
>
> How to interpret above message?what does 1116360555,329,2401771 means here?
seconds.msec:serial number
The seconds can be converted with ctime().
> By looking at this type of audit message how can i interpret all the things
> related to a particular process?
This is not a message type, its just the unique time stamp for the event.
> If i want to trace all syscalls called by particular process how to do that
> without using ausearch(means by looking at above type messages)
> how can i obtain strace output by this this auditing subsystem ?
You would use the autrace program. After running it, it will tell you what
ausearch command to run to see the results. The output will not be formatted
like strace, but it contains the information.
If you are writing a program that analyzes the audit data, I'd recommend using
the auparse library to do all your parsing and data interpretation.
-Steve
More information about the Linux-audit
mailing list