Re: [Fed-Talk] auditreduce -o pid=num
Re: [Fed-Talk] auditreduce -o pid=num
- Subject: Re: [Fed-Talk] auditreduce -o pid=num
- From: Stacey Son <email@hidden>
- Date: Fri, 18 Feb 2011 21:44:28 -0600
Hi Todd:
After a very quick look at the openbsm source code it looks like auditreduce is only filtering using the AUT_PROCESS/AUT_PROCESS32 token with the "-o pid=num" option. If the audit records is using the AUT_PROCESS64, AUT_PROCESS64_EX, or AUT_PROCESS32_EX token instead then it seems it will miss those audit records. This might be a bug.
Best Regards,
-stacey.
On Feb 18, 2011, at 12:28 PM, Todd Heberlein wrote:
> Has anyone used the auditreduce command and filtered on a specific process ID? I can't seem to get it to work, and I am wondering if I am doing something wrong. For example, I am trying
>
> $ auditreduce -o pid=202 exp51.bsm
>
> but I get nothing.
>
> Thanks,
>
> Todd
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
----
Stacey Son
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden