On Thursday 06 April 2006 10:47, Steve Brueckner wrote: > What might cause this?
The event ID can be recycled. Its the combination of time stamp and serial number that creates uniqueness. > At some point my event IDs got reset (they didn't cycle that fast!). I've > been playing quite a bit with the audit system so I'm not sure what caused > it. Possibilities include: > > - Restarting the auditd service Nope > - Rebooting the machine Yep > - Deleting the /var/log/audit/audit.log file Nope There can also be wrapping. > Or should this just plain not happen? It can happen. > I'm on FC4 using kernel 2.6.12-1.1447_FC4xen0. I'm afraid I can't easily > upgrade at the moment because I've build an entire system predicated on old > versions of SELinux and Xen. You will likely have other problems on a kernel that old. I think 2.6.14 was when we really had most features in place and stable. > I also have a couple of other questions: > > - How large to audit event numbers get before they cycle back to zero? I think its a u32 number. > - Is there any way to have ausearch only the most recent audit log instead > of all logs? Sure, use the "-if" option and give it the full path to the file. ausearch -if /var/log/audit/audit.log -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
