Hi Steve, Just to confirm this: If i am taking my data stream through the af_unix socket built-in plugin then will i get the audit_eoe event? Do i have to setup some special rule to get this event or is it there by default in the af_unix plugin stream? Thanks for the prompt reply. Basim
On Mon, Aug 16, 2010 at 5:46 PM, Steve Grubb <[email protected]> wrote: > On Monday, August 16, 2010 05:38:52 pm Basim Baig wrote: > > It would be really helpful to know if the number of events generated per > > system call change or do they stay the same. > > As your data suggests, there can be several different records per event > depending on what its trying to tell you. They all end with an AUDIT_EOE > record. Auditd strips this off to save disk space, but live events have it. > > -Steve >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
