> After looking at this I had a hunch - the collector machine is 32-bit, > the sender 64-bit.
And the magic number has the high bit set. I wonder if there's a sign extension in there somewhere? Can you try between two 32 bit hosts? > I assume that all events on the sender make it to the collector. Is this > true always? I didn't add any filters - anything that makes it to audisp-remote eventually gets queued in the server's event queue. > But I cannot see this event on the collector. All remote messages will have "node=" in them somewhere. Can you grep for that manually in your server's audit logs? I wonder if ausearch is skipping them. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
