Hi Risto,
thank you for previous help and my apologize for disturbing you.
I had thought I understand how to build new correlation for EXECVE
messages. But I have faced again with next problem.
I'm receiving these messages in order: SYSCALL, EXECVE, CWD and PATH.
Depends on activity these messa
hi Nikolay,
hopefully my e-mail is not too confusing, but I've played a little bit
with linux auditd logs today and checked their format. At least on my
laptop, it appears that the messages are always consecutive. In other
words, the messages with the same timestamp and eventID (the value
that is
..forgot to mention that the ruleset example from my previous e-mail
assumes the use of --intcontexts command line option ('cevent' action
needs this).
regards,
risto
2016-11-19 1:24 GMT+02:00 Risto Vaarandi :
> hi Nikolay,
>
> hopefully my e-mail is not too confusing, but I've played a little bit
