How to identify failed syscalls - Linux-audit - Linux-Audit List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

How to identify failed syscalls

How to exclude directories from...

[PATCH] audit: change pid to...

Leam Hall

Friday, 25 October 2013 Fri, 25 Oct '13

5:26 a.m.

Running aureport gives me a lot of failed syscalls. How do I identify what syscalls are failing and what is calling them? Thanks! Leam -- http://31challenge.net http://31challenge.net/insight

Reply

Show replies by date

Steve Grubb

Friday, 25 October Fri, 25 Oct

7:41 a.m.

On Friday, October 25, 2013 06:26:20 AM Leam Hall wrote:

Running aureport gives me a lot of failed syscalls. How do I identify what syscalls are failing and what is calling them?

Aureport's purpose is to give summary information. Ausearch gives detailed information. To get what syscalls are failing, you can just run the "--syscall --summary" report. To se what is calling them is a bit trickier. You can isolate the events with ausearch and then pipe them to aureport for summarizing: ausearch --start today -m syscall -sv no --raw | aureport -x --summary If you need to seethe individual events, then ausearch --start today -m syscall -sv no -i -Steve

Reply

4076

days inactive

4076

days old

linux-audit@lists.linux-audit.osci.io

Manage subscription

1 comments

2 participants

tags (0)

participants (2)

Leam Hall
Steve Grubb