If I add a new user with the "useradd" utility, it submits a ADD_USER event, but the event itself has no interpretation for the new UID.
IOW, the "id" field is numeric and the translated data at the end of the raw record has "ID=unknown(number)". I'm guessing it is because until the user data has been successfully entered, there is no translation. Perhaps the event submission should wait until that happens? I may be able to dig out the name from other related generated events, but that is kind of a pain. audit-2.8.5, RHEL 7.6 Thx, LCB -- Lenny Bruzenak MagitekLTD -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
