Audit Prelude Logout Tracking
LC Bruzenak
lenny at magitekltd.com
Thu Feb 19 14:45:55 UTC 2009
On Thu, 2009-02-19 at 09:26 -0500, Dan Gruhn wrote:
>
> LC Bruzenak wrote:
> > On Wed, 2009-02-18 at 16:44 -0600, LC Bruzenak wrote:
> >
> LCB,
>
> Thanks for the tip on the hostname/addr info is only for remote access
> information.
>
> Although this seemed like the right place to look, I don't see
> USER_LOGOUT events in my audit logs, this is why I mentioned the
> USER_END events. Do you remember USER_LOGOUT working back when you
> tried before?
I thought that is what I saw previously, but it isn't there now.
Only login/logout on the console gives these messages.
I need to go back through some old email - I thought Steve patched this
a while back.
>
> I am interested in the patches that you make to audisp-prelude.c. Do
> you think they might be useful to me in my NISPOM quest? If so, are
> they patches from 1.7.11 and could you send me a copy?
I'll gladly send you a copy off-list - the changes are specific to what
I'm doing. Basically I had to sub-format the user text in order to key
off what I wanted to send to prelude.
You may need to incorporate something similar...unless of course between
us we can provide a non-intrusive patch Steve would accept which would
accommodate user-designated IDS events! :)
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list