On Tuesday 29 July 2008 06:07:15 Peng Haitao wrote: > The log which message type is CONFIG_CHANGE does not contain "auid=" and > exists in /var/log/audit/audit.log, This will be OK or the log loses > "auid="?
All records must have auid. That is part of the requirements besides date, time, what happened, and what was the results. If that record is missing auid, we need to patch the kernel. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
