> -----Original Message----- > It also assembles the records into an > event before presenting them. It interprets some of the data > so that its more usable even if you don't ask for a full > interpretation. > > -Steve
Steve, On my 1.0.15 installation, I did some quick scraping to see if audit trail records could be split after ausearch was done processing them, and yes, they can be split. I'm fine with the the raw logs not necessarily being joined, but this was the output from ausearch. It did it even when I asked for the split record by event id, that is, it still split them into separate records. I estimate that this is really only for about 0.5% of the records though, and it may be tied to my particular version. This does make it difficult to know that I haven't missed anything. Thanks, Charlie Todd Ball Aerospace & Technologies Corp. This message and any enclosures are intended only for the addressee. Please notify the sender by email if you are not the intended recipient. If you are not the intended recipient, you may not use, copy, disclose, or distribute this message or its contents or enclosures to any other person and any such actions may be unlawful. Ball reserves the right to monitor and review all messages and enclosures sent to or from this email address. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
