Ignacio Marambio Cat?n wrote: > interesting, from what i've seen, i have to audit either as or ua > nacho at saturn:/etc/security$ pfexec grep prof_cmd * > audit_event:6180:AUE_prof_cmd:profile command:ua,as > > however, that only seems to audit role login and logout > nacho at saturn:/etc/security$ grep -v "^#" audit_control > dir:/var/audit > flags: > minfree:20 > naflags: lo,ua > plugin: name=audit_syslog.so; p_flags=lo,-am,ua
You need to have it in flags as well. The p_flags for the audit_syslog plugin is a filter on the main flags entry. The main flags entry applies to what the kernel will generate binary records for and send to auditd(1M). I thought that should have been clear from the the first example in the audit_syslog(5) man page. -- Darren J Moffat
