On Mon, 22.06.15 23:16, Michał Zegan ([email protected]) wrote: > Are audit messages in _TRANSPORT=audit in systemd 219, or later only?
Since day #1 of the native audit support they are _TRANSPORT=audit, hence also in v219. Note thought that the kernel also copies audit msgs to kmsg -- if you have no auditd running. Those messages are considered kmsg messages, and cannot sanely be detected. The kernel really needs to be fixed to not dump audit msgs to kmsg anymore if userspace is listening via multicast audit, the way journald does it. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
