Re: Monitoring events
> Ideally, I would like to only capture (or parse) events
pertaining to
> rules I have created (since other system processes are using auditd as
> well). Is there's any kind of identifier that ties events to rules?
Which kernel are you using? Are your events only watches or do you
care about
syscall auditing as well (meaning you have set some syscall audit rules) ?
kernel-2.6.16-1.2212.2.8_FC6.lspp.34.i686 on Fedora Core 5
At the moment they are only watches, I may add others (syscall rules) later.
Thanks again,
Steve