Re: ausearch on aggregation - syscall difference
On Fri, 2008-10-24 at 14:28 -0400, John Dennis wrote:
>
This problem occurs because ausearch naively assumes the log data it's
parsing originated on the same machine it's running on. Instead of
reading the arch from the audit record it calls audit_detect_machine()
which calls uname(). It then uses the machine arch it found with uname()
to interpret the syscall number. Auparse has the same problem.
The audit-viewer gets the right syscall for the event's arch.
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com