I seem to be getting different results when sending my auditd logs off box.

This is what I see on the local box after doing ausearch -k "My Key":

time->Wed Nov 30 17:47:59 2011
node=192.168.91.147 type=PATH msg=audit(1322675279.923:2995): item=1 name=(null) inode=228906 dev=03:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
node=192.168.91.147 type=PATH msg=audit(1322675279.923:2995): item=0 name="/bin/ls" inode=97994 dev=03:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
node=192.168.91.147 type=CWD msg=audit(1322675279.923:2995): cwd="/etc"
node=192.168.91.147 type=EXECVE msg=audit(1322675279.923:2995): argc=2 a0="ls" a1="-l"
node=192.168.91.147 type=SYSCALL msg=audit(1322675279.923:2995): arch=c000003e syscall=59 success=yes exit=0 a0=8c5e28 a1=8c8ec8 a2=8c1008 a3=0 items=2 ppid=30917 pid=31368 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=14 comm="ls" exe="/bin/ls" key="My Key"

and this is what I get on the remote server:

time->Wed Nov 30 17:47:59 2011
node=192.168.91.147 type=EXECVE msg=audit(1322675279.923:2995): argc=2 a0="ls"
node=192.168.91.147 type=SYSCALL msg=audit(1322675279.923:2995): arch=c000003e syscall=59 success=yes exit=0 a0=8c5e28 a1=8c8ec8 a2=8c1008 a3=0 items=2 ppid=30917 pid=31368 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=14 comm="ls" exe="/bin/ls" key="My Key"

As you can see.. I'm losing "a1=-l" and a bunch more information.

In the /var/log/audit/audit.log file on the server, I get a bunch of blank spaces after a0="ls", it would seem to me that would be the culprit but I don't know how to fix it.

I'm using audisp-remote to send the data across.

Client:
Debian Lenny with 1.7.4-1
Server:
CentOS 5.5 with 1.7.18-2.el5

Any ideas??

Does /var/log/audit/audit.log on the client show all args correctly? If so then what is the audit version? Centos, which BTW is at release 5.7 now, has audit-1.7.18-2.el5 which logs args correctly. In the meanwhile, but only if /var/log/audit/audit.log on the client show all args correctly, a workaround could be to install Rsyslogd and have it read and send the log to the server. An example of having Rsyslogd read a file (real simple) is here: http://www.linuxquestions.org/questi...3/#post4495746

The local audit.log is showing correctly. I just checked on Squeeze and everything logs correctly. My testing system was lenny, but the end system that I'm going to be using is Squeeze, so everything is working correctly. So 1.7.4 on the client side was the culprit.