ausearch on aggregation - syscall difference
LC Bruzenak
lenny at magitekltd.com
Fri Oct 24 18:38:45 UTC 2008
On Fri, 2008-10-24 at 14:28 -0400, John Dennis wrote:
> >
> This problem occurs because ausearch naively assumes the log data it's
> parsing originated on the same machine it's running on. Instead of
> reading the arch from the audit record it calls audit_detect_machine()
> which calls uname(). It then uses the machine arch it found with uname()
> to interpret the syscall number. Auparse has the same problem.
>
The audit-viewer gets the right syscall for the event's arch.
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list