[systemd-devel] filtering journal logs
Lennart Poettering
lennart at poettering.net
Mon Jun 22 14:22:05 PDT 2015
On Mon, 22.06.15 23:16, MichaĆ Zegan (webczat_200 at poczta.onet.pl) wrote:
> Are audit messages in _TRANSPORT=audit in systemd 219, or later only?
Since day #1 of the native audit support they are _TRANSPORT=audit,
hence also in v219.
Note thought that the kernel also copies audit msgs to kmsg -- if you
have no auditd running. Those messages are considered kmsg messages,
and cannot sanely be detected. The kernel really needs to be fixed to
not dump audit msgs to kmsg anymore if userspace is listening via
multicast audit, the way journald does it.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list