difference between success and failed event in auditd/aureport

Posted by user112358132134 on Server Fault See other posts from Server Fault or by user112358132134
Published on 2012-09-25T21:22:41Z Indexed on 2012/09/25 21:39 UTC
Read the original article Hit count: 149

Filed under:

linux

|

auditd

The aureport command has two options that limit the list of displayed events to those that were successful and those that failed. Per the man page:

   --failed
          Only select failed events for processing in the reports. The default is both success and failed events.
   --success
          Only select successful events for processing in the reports. The default is both success and failed events.

What does this mean? Is the failure/success with regard to the actual event (e.g., a syscall that returned non-zero) or does the failure/success apply to auditd and whether or not there was an issue in processing the event?

© Server Fault or respective owner

Related posts about linux

apt-get install and update fail

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I've got a problem with apt-get update and apt-get install ... commands . every time update or installing fails and errors are : Get:1 http://dl.google.com stable Release.gpg [198B] Ign http://dl.google.com/linux/chrome/deb/ stable/main Translation-en_US Get:2 http://dl… >>> More
kernel module compiling error

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
sh@ubuntu:/home/ccpp/helloworld$ make gcc-4.6 -O2 -DMODULE -D_KERNEL_ -W -Wall -Wstrict-prototypes -Wmissing-prototypes -isystem /lib/modules/`uname -r`/build/include -c -o hello-1.o hello-1.c hello-1.c:4:0: warning: "MODULE" redefined [enabled by default] <command-line>:0:0: note: this is… >>> More
Build-Essentials installation failing

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I am having trouble accessing the several critical header files that show to be a part of the build process. The "Ubuntu Software Center" shows "Build Essentials" as installed: Next I did the following two commands, which did not improve the problem: ~$ sudo apt-get install build-essential [sudo]… >>> More
Updating Debian kernel

as seen on Super User - Search for 'Super User'
I'm trying to update my Debian machine to 2.6.32-46 (which is the new stable). However, after doing apt-get update my apt-cache search linux-image shows me: linux-headers-2.6.32-5-486 - Header files for Linux 2.6.32-5-486 linux-headers-2.6.32-5-686-bigmem - Header files for Linux 2.6.32-5-686-bigmem linux-headers-2… >>> More
Serial connection over a single USB cable (Windows to linux, or linux to linux)

as seen on Server Fault - Search for 'Server Fault'
I'm helping out with a project for an embedded device that only has USB and no serial. This device is running Linux. These days, when we need to connect to a serial port on a device we typically use a USB to serial adapter (on something like a phone system or a load balancing device, etc). I would… >>> More

Related posts about auditd

Suggestion for auditd set-up

as seen on Server Fault - Search for 'Server Fault'
Hi, I am trying to learn about securing a Linux box (I am using Ubuntu). Auditd is recommended for monitoring activities on the node. I have managed to install it, but I can't find much information about proper set-up to secure my node. How should I set-up auditd to make my node more secure? What… >>> More
difference between success and failed event in auditd/aureport

as seen on Server Fault - Search for 'Server Fault'
The aureport command has two options that limit the list of displayed events to those that were successful and those that failed. Per the man page: --failed Only select failed events for processing in the reports. The default is both success and failed events. --success … >>> More
Problems getting auditd set up on my server

as seen on Server Fault - Search for 'Server Fault'
I'm trying to figure out which processes are deleting files from a specific directory, so I want to set up and run auditd on my system. I've set up the following rule in audit.rules: -w S unlink -S truncate -S ftruncate -a exit,always -k cache_deletion -w /home/myfolder/cache Then I type this to… >>> More
Unable to start auditd

as seen on Server Fault - Search for 'Server Fault'
I am on CentOS 5.8 final I recently installed auditd via yum install audit however I am unable to start it. I edited the configuration file to give a verbose output of the error it is recieving in starting up and this is the output: # service auditd start Starting auditd: Config file /etc/audit/auditd… >>> More
Trying to make changes to the size of the events buffer in prelude-ids auditd plugin

as seen on Server Fault - Search for 'Server Fault'
I am running systems using the prelude-ids plugin for auditd. When the manager is up every thing works fine however I have a requirement that when the clients can't talk to the manager they should store no more than 250MB of messages, and when they hit that point they should start deleting the oldest… >>> More