Re: Audit record emission
Steve Grubb wrote:
It basically says that audit records may be emitted as event records
are
generated as opposed to syscall exit. The problem shows up during stress
testing. The records that get sent from the kernel are no where close to each
other and are hard to correlate.
I've been using ausearch to find things and it seems to do a nice
job of putting the pieces together. Maybe we need an option to
dump everything, or maybe have an aucat command? Or are you finding
that under the stress testing, the ausearch command doesn't work well
because the records are so far apart?
-- ljk