Events per System Call

Basim Baig basimbaig at gmail.com
Tue Aug 17 00:49:48 UTC 2010


Hi Steve,
Just to confirm this:
If i am taking my data stream through the af_unix socket built-in plugin
then will i get the audit_eoe event? Do i have to setup some special rule to
get this event or is it there by default in the af_unix plugin stream?
Thanks for the prompt reply.
Basim

On Mon, Aug 16, 2010 at 5:46 PM, Steve Grubb <sgrubb at redhat.com> wrote:

> On Monday, August 16, 2010 05:38:52 pm Basim Baig wrote:
> > It would be really helpful to know if the number of events generated per
> > system call change or do they stay the same.
>
> As your data suggests, there can be several different records per event
> depending on what its trying to tell you. They all end with an AUDIT_EOE
> record. Auditd strips this off to save disk space, but live events have it.
>
> -Steve
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20100816/bb633c8a/attachment.htm>


More information about the Linux-audit mailing list