I have the program adding rules to Audit now. Thank you for your help.
I also have my program monitoring the output from auditd (via the dispatch option in auditd.conf).
Ideally, I would like to only capture (or parse) events pertaining to rules I have created (since other system processes are using auditd as well). Is there's any kind of identifier that ties events to rules?
Thank you again, Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
