Hello Steve, Use option '--session Login-Session-ID' cannot search out the log which contains the given Login Session ID and message type is MAC_POLICY_LOAD.
For example: # echo "type=MAC_POLICY_LOAD msg=audit(1290670949.711:413341): policy loaded auid=0 ses=218" | ausearch --session 218 <no matches> Signed-off-by: Peng Haitao <[email protected]> --- src/ausearch-parse.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c index 30a96a2..0ffea14 100755 --- a/src/ausearch-parse.c +++ b/src/ausearch-parse.c @@ -1551,14 +1551,14 @@ static int parse_simple_message(const lnode *n, search_items *s) if (str) { ptr = str + 4; term = strchr(ptr, ' '); - if (term == NULL) - return 3; - *term = 0; + if (term) + *term = 0; errno = 0; s->session_id = strtoul(ptr, NULL, 10); if (errno) - return 4; - *term = ' '; + return 3; + if (term) + *term = ' '; } } @@ -1582,7 +1582,7 @@ static int parse_simple_message(const lnode *n, search_items *s) else // Set it back to something sane term = str; } else - return 5; + return 4; } } @@ -1593,7 +1593,7 @@ static int parse_simple_message(const lnode *n, search_items *s) //create s->key = malloc(sizeof(slist)); if (s->key == NULL) - return 6; + return 5; slist_create(s->key); } ptr = str + 4; @@ -1612,7 +1612,7 @@ static int parse_simple_message(const lnode *n, search_items *s) } *term = '"'; } else - return 7; + return 6; } else { if (s->key) { char *saved=NULL; @@ -1652,7 +1652,7 @@ static int parse_simple_message(const lnode *n, search_items *s) errno = 0; s->success = strtoul(ptr, NULL, 10); if (errno) - return 8; + return 7; if (term) *term = ' '; } -- 1.7.0.1 -- Best Regards, Peng Haitao -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
