ausearch with message types does not return what I think it would return. (0 matches when adding a user)

Tuesday, 30 June 2015

Good day,

I am new with auditd, and got some issues..

For example,  When I add or delete a user,  I cannot see the entry with ausearch -m
ADD_USER, it returns 0 match, BUT  its logging it under USER_AUTH. If I do a ausearch -x
adduser, ill thee se event audit.log with the EXECVE Type:

# ausearch -x useradd | grep titi
type=EXECVE msg=audit(1435677075.900:49410): argc=2 a0="useradd"
a1="titi"

I also tried to  find a full description of all message types  returned by ausearch -m 
but could not find any..  Any help on this would be appreciated as well.

Many thanks.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004