----- "Jure Simsic" <jure.sim...@gmail.com> wrote: > Hi > > I need to audit some specific commands which have the following form > > cmd -arg1 -arg2 -query 'some query("args")' > > In audit log I get a record like: > type=EXECVE msg=audit(1282117611.037:27469599): argv [0] ="cmd" argv [1] > ="-arg1" argv [2] ="-arg2" argv [3] ="-query" argv [4] > =737472626567696E73287468726561645F69642C227468726561645F69643D32333639383932662229 > > > Now, I'd really need to get the last query argument in an understandable > form. Is this possible or is this the way it is and I can't do it? (ausearch -i) , at least in recent versions. Mirek
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit