On Monday, February 28, 2022 12:29:54 PM EST Mark Gardner wrote: <snip>
> Notice no information on what file was copied / removed? > > Even the earlier log entries don't show what file was copied / removed. This might be related to record formats changing. > If I downgrade to audit 3.0-0.17, everything is there. > > Is there another way to monitor a directory so we know which files were > modified / removed? Well, you can always do ausearch -k test --raw | aureport -f I'll take a look and see if I can spot what has changed and how this could be fixed. -Steve -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
