auditd never logs arguments when sending to remote server
I seem to be getting different results when sending my auditd logs off box.
This is what I see on the local box after doing ausearch -k "My Key":
time->Wed Nov 30 17:47:59 2011
node=192.168.91.147 type=PATH msg=audit(1322675279.923:2995): item=1 name=(null) inode=228906 dev=03:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
node=192.168.91.147 type=PATH msg=audit(1322675279.923:2995): item=0 name="/bin/ls" inode=97994 dev=03:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
node=192.168.91.147 type=CWD msg=audit(1322675279.923:2995): cwd="/etc"
node=192.168.91.147 type=EXECVE msg=audit(1322675279.923:2995): argc=2 a0="ls" a1="-l"
node=192.168.91.147 type=SYSCALL msg=audit(1322675279.923:2995): arch=c000003e syscall=59 success=yes exit=0 a0=8c5e28 a1=8c8ec8 a2=8c1008 a3=0 items=2 ppid=30917 pid=31368 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=14 comm="ls" exe="/bin/ls" key="My Key"
and this is what I get on the remote server:
time->Wed Nov 30 17:47:59 2011
node=192.168.91.147 type=EXECVE msg=audit(1322675279.923:2995): argc=2 a0="ls"
node=192.168.91.147 type=SYSCALL msg=audit(1322675279.923:2995): arch=c000003e syscall=59 success=yes exit=0 a0=8c5e28 a1=8c8ec8 a2=8c1008 a3=0 items=2 ppid=30917 pid=31368 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=14 comm="ls" exe="/bin/ls" key="My Key"
As you can see.. I'm losing "a1=-l" and a bunch more information.
In the /var/log/audit/audit.log file on the server, I get a bunch of blank spaces after a0="ls", it would seem to me that would be the culprit but I don't know how to fix it.
I'm using audisp-remote to send the data across.
Client:
Debian Lenny with 1.7.4-1
Server:
CentOS 5.5 with 1.7.18-2.el5
Any ideas??
|