Hello Steve, The log which message type is CONFIG_CHANGE does not contain "auid=" and exists in /var/log/audit/audit.log, This will be OK or the log loses "auid="? If you think this is OK, I will make a new patch.
Peng Haitao said the following on 2008-7-29 13:40: > Hello Steve, > > Executing command "echo 'type=CONFIG_CHANGE msg=audit(1214114026.152:1641): > op=updated rules specifying path="/home/pht/source/sys_temp" with > dev=4294967295 ino=4294967295 list=-672208416 res=1' | ausearch -r", the > output is NULL. > The log is from /var/log/audit/audit.log and not modified. > > Signed-off-by: Peng Haitao <[EMAIL PROTECTED]> > --- > src/ausearch-parse.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c > index 141fdee..0c38be1 100755 > --- a/src/ausearch-parse.c > +++ b/src/ausearch-parse.c > @@ -1403,7 +1403,7 @@ static int parse_simple_message(const lnode *n, > search_items *s) > // get loginuid > str = strstr(n->message, "auid="); > if (str == NULL) > - return 1; > + return 0; > ptr = str + 5; > term = strchr(ptr, ' '); > if (term) -- Regards Peng Haitao -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
