Re: [PATCH 1/2] fix a bug that use option '-r' cannot output all unformatted logs
On Tuesday 29 July 2008 21:06:45 Peng Haitao wrote:
When the watched file is deleted or renamed, the log will be made.
You can get the result by following steps:
1. # service auditd start
2. # touch temp_file
3. # auditctl -w `pwd`/temp_file -k temp_file
4. # rm -f temp_file
/var/log/audit/audit.log will contain:
node=RHEL5.2GA type=CONFIG_CHANGE msg=audit(1217551948.386:97101):
op=updated rules specifying path="/home/pht/temp_file" with dev=4294967295
ino=4294967295 list=0 res=1
I am applying a patch that will allow parsing for missing auid fields in
CONFIG_CHANGE records. I think that is the only loose end to tie up on this
bug report.
-Steve