Re: [PATCH] Add End of Event record
On Thursday 27 September 2007 13:18:35 Todd, Charles wrote:
3. Administrative records are passed, perhaps at dispatchers startup
and
at the start of a file when rotated, that documents which version of
auditd, uname -r, output of gnu_get_libc_version(), and the local system
date/time.
I updated the DAEMON_START record to be like this:
type=DAEMON_START msg=audit(09/27/2007 13:18:04.858:8081) : auditd start,
ver=1.6.3 format=raw kernel=2.6.23-0.202.rc8.fc8 auid=root pid=28173
res=success
So, 1.6.3 and later will have the kernel version & release.
-Steve