On Fri, 2008-09-12 at 20:05 -0400, DJ Delorie wrote: > > Just as an aside, I was sending in the auditctl event because I do not > > see the "node=" information in the ausearch results on my collector. > > So I wasn't certain which machine might be initiating the event. > > Locally generated events won't have the node= (at least, on my machine > they don't). Remotely generated events should have the node= on them.
I thought there was a distinction as to where it was assigned, as in auditd.conf vice audispd.conf. The raw data (in the log) does have it locally. So anyway, if I see no node= events in the collector I know that it isn't getting any events. Also the sender's audispd sends log messages saying the queue is full and it must drop the events. LCB. -- LC (Lenny) Bruzenak [EMAIL PROTECTED] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
