On Tue, 2008-05-27 at 11:16 -0500, LC Bruzenak wrote: > On Tue, 2008-05-27 at 12:10 -0400, Steve Grubb wrote: > ... > > > Once we aggregate these would be tough to separate. > > > > That is why we added the node field. :) You should probably enable it with > > the name_format option. > > I think I do have it: > > [EMAIL PROTECTED] audit]# grep name_format /etc/audit/auditd.conf > name_format = hostname
Isn't the audit dispatcher's role of adding the node name in the record? If so, only records going through the audispd would have this field. -K -- Klaus Heinrich Kiwi Security Development - IBM Linux Technology Center -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
