Hello all,
I know this is a very simple question but i cannot find an answer in the
documentation. I have written a parser for the audit system where I am
taking events from the af_unix built in plugin through a socket and I am
using those events for system monitoring and passing them off to my own
storage/processing code etc. All this is done already. The question I have
is can I setup audit rules for the af_unix plugin alone. I want to monitor a
set of system calls but I do not want those system call events clogging up
the log file unnecessaraily and only want them to be passed to the af_unix
plugin only. Is there a way to do this? Right now I just set up the rules
using auditctl and thus they end up in the log file as well.
Thanks,
Basim Baig
SRI International
Show replies by date