Re: aulast only displaying reboot pseudo-users
Le Tue, 17 Jun 2014 09:29:21 -0400,
Steve Grubb <sgrubb(a)redhat.com> a écrit :
On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote:
[...]
> I'd call this a pretty clear userspace bug where it just
completely
> drops records, even if it can't parse them...
That theory can be tested by using:
ausearch --start this-week --debug > /dev/null
Anything that gets tossed out will be reported to stderr.
I'm getting indeed quite a lot of skipped event:
Malformed event skipped, rc=7. type=LOGIN msg=audit(1402934401.462:1626): pid=1719 uid=0
old-auid=4294967295 new-auid=0 old-ses=4294967295 new-ses=121 res=1
-Steve