Hi,
Regarding the sample record below, is there a reason we got rid of the acct=
field and now have two uid fields. I know the second uid field that is part of
the message is referring to the uid of the user that logged in, but I think
having the acct= (telling us the user name) was more useful... Also having two
fields named the same within the same record is confusing for parsing.
type=USER_LOGIN msg=audit(1158765381.613:26419): user pid=25321 uid=0
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c255 msg='uid=500:
exe="/usr/sbin/sshd" (hostname=mysystem.ibm.com, addr=2.0.0.0,
terminal=/dev/pts/3 res=success)'
To recreate this:
- Tail the audit log file
- In another window ssh to the system, and you'll see the above record among a
few others.
btw, other user related records that get generated (USER_START, USER_ACCT,
USER_REFR) all have the acct= field.
I am running with:
# uname -a
Linux system.ibm.com 2.6.17-1.2586.2.2.fc6.lspp.48 #1 SMP Wed Aug 30 15:51:12
EDT 2006 x86_64 x86_64 x86_64 GNU/Linux
# rpm -q audit
audit-1.2.6-3
Thanks,
- Loulwa
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
