Re: the meaning of this audit entry
On DATE, the author spaketh: Steve Grubb
On Monday 19 November 2007 04:22:12 pm Bill Tangren wrote:
> I'd like to know what this audit log entry means:
It is easier to understand these when you give the '-i' option to
ausearch. It
changes things from numeric to text values. It also grounds all records
that
make up the event so that you can see all of it.
For this event:
type=SYSCALL msg=audit(1195572240.060:2971371): arch=40000003 syscall=3
success=no exit=-11 a0=12 a1=97721e8 a2=1000 a3=9782c18 items=0 pid=3538
auid=517 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="X"
exe="/usr/X11R6/bin/Xorg"
I issued this command:
# ausearch -i -a 2971371
type=SYSCALL msg=audit(11/20/2007 10:24:00.060:2971371) : arch=i386
syscall=read success=no exit=-11(Resource temporarily unavailable) a0=12
a1=97721e8 a2=1000 a3=9782c18 items=0 pid=3538 auid=bjt uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=X
exe=/usr/X11R6/bin/Xorg
Now, this system is plugged into a KVM switch, and sometimes the sysadmin
who logs into the GUI stays logged in for days (he forgots to log out),
and the switch is changed to some other system. I don't know if any of
this has anything to do with why I'm getting 500MB worth of logs every
day, but I have noticed that the logs are this big whenever someone is
logged into the GUI.
BTW, this is a RHEL ES 4.6 system.
--
Bill Tangren
U.S. Naval Observatory