Re: Newer versions of audit missing information?
On Monday, February 28, 2022 12:29:54 PM EST Mark Gardner wrote:
<snip>
Notice no information on what file was copied / removed?
Even the earlier log entries don't show what file was copied / removed.
This might be related to record formats changing.
If I downgrade to audit 3.0-0.17, everything is there.
Is there another way to monitor a directory so we know which files were
modified / removed?
Well, you can always do ausearch -k test --raw | aureport -f
I'll take a look and see if I can spot what has changed and how this could be
fixed.
-Steve