Re: Monitoring events
On Thursday 08 June 2006 09:55, Steve wrote:
Ideally, I would like to only capture (or parse) events pertaining
to
rules I have created (since other system processes are using auditd as
well). Is there's any kind of identifier that ties events to rules?
Which kernel are you using? Are your events only watches or do you care about
syscall auditing as well (meaning you have set some syscall audit rules) ?
-Steve