Questions about enriched format and Node on RHEL 7.4

Mon Aug 7 15:25:38 UTC 2017

Hi,
With Rhel 7.4 just out, I am giving a try at the new audit.
Something seems strange to me.
With the default log_format = RAW in auditd.conf, I get the node= parameter right in rsyslog (through the syslog plugin).
If I switch to log_format = ENRICHED the parameter is missing altogether (no node=)

In both case local there is no node parameter in the local audit.log.
When I run ausearch --format text  from the  local host I never get node information.
When I run it from the data received by rsyslog (after stripping the prefix with sed 's/^.*audispd://'), I get the node information for the RAW format only.

Another point that bothers me is that I got an extra line did-unknown after each meaningful line when I use the remote content (RAW or ENRICHED)
This is what I get locally
At 16:03:55 07/08/17 fr18358, acting as root, successfully executed /bin/pkg-config
At 16:03:55 07/08/17 fr18358, acting as root, successfully executed /usr/libexec/grepconf.sh
At 16:03:55 07/08/17 fr18358, acting as root, successfully opened-file /dev/tty using grepconf.sh
At 16:03:55 07/08/17 fr18358, acting as root, successfully executed /bin/grep
This is what I get from remote data
At 15:43:52 07/08/17 fr18358, acting as root, successfully executed /bin/pkg-config
At 15:43:52 07/08/17  did-unknown
At 15:43:52 07/08/17 fr18358, acting as root, successfully executed /usr/libexec/grepconf.sh
At 15:43:52 07/08/17  did-unknown
At 15:43:52 07/08/17 fr18358, acting as root, successfully opened-file /dev/tty using grepconf.sh
At 15:43:52 07/08/17  did-unknown
At 15:43:52 07/08/17 fr18358, acting as root, successfully executed /bin/grep

Please tell me what I am doing wrong.
Philippe

!!!*************************************************************************************
"Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis.

This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.!!!"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170807/1210fb9b/attachment.htm>