On Thursday 19 February 2009 09:26:28 am Dan Gruhn wrote: > Although this seemed like the right place to look, I don't see > USER_LOGOUT events in my audit logs,
They are not used. I decided later that it was not needed for analysis. When you login, there is always a session open event (user_start). This is associated with a user_login event. So, when you see the session closed event (user_end), the logout has occurred. However...what if gdm dies? What if the kernel oopses? You have no ending marker. So, what I did recently was patch upstart so that it logs system boot & shutdown events. This way you can tell when the system malfunctioned. The logic for the analysis is in the aulast program, which is in 1.7.11. However, you don't have a patched upstart daemon for RHEL5 since it uses the older SysVinit package. One thing to note, preikka/prelude is an IDS system. Not all audit events are IDS events. Only a handful really qualify as Intrusion Detection worthy. So, you really can't use prewikka as an audit log browser. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
