Re: Why aren't SYSCALLS being logged in CentOS kernel (any ideas?)
On Friday 31 August 2007 13:35:22 Robert Evans wrote:
Hmmm....tried auditctl -l and just got
No rules
OK, that's a start.
Since I have /etc/audit.rules in place, does that indicate the
syscall
auditing part of the kernel is compiled in.
Well, that file is for user space. But on RHEL5, that file's location has
changed. So maybe that is your problem? It should be:
/etc/audit/audit.rules
But, you can load the rules where they are by hand:
auditctl -R /etc/audit.rules
to make sure its working. See if that doesn't fix your problem.
-Steve