On Mon, 2014-06-16 at 17:20 -0400, Eric Paris wrote: > I'd call this a pretty clear userspace bug where it just completely > drops records, even if it can't parse them...
Definitely a userspace bug... [root@localhost eparis]# ausearch -m login <no matches> [root@localhost eparis]# cat /var/log/audit/audit.log | grep "type=LOGIN" | wc -l 14 [root@localhost eparis]# uname -a Linux localhost.localdomain 3.14.4-200.fc20.x86_64 #1 SMP Tue May 13 13:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@localhost eparis]# rpm -q audit audit-2.3.7-1.fc20.x86_64 type=LOGIN msg=audit(1402952461.125:37289): pid=30708 uid=0 old-auid=4294967295 new-auid=0 old-ses=4294967295 new-ses=137 res=1 I get it that the parse doesn't know how to handle new-auid and new-ses, but just dropping the record really seems like a bad idea to me... -Eric -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
