Here is an example TRUSTED_APP event:
node=v1 type=TRUSTED_APP msg=audit(10/24/2008 10:02:52.952:9585) : user pid=18103 uid=root auid=root ses=1 subj=system_u:system_r:jcdx_sslog_t:s0-s15:c0.c1023 msg='E 10/24 15:02:52 comms 18371 cen_mon Process Monitor unable to read host list from procmon_db : exe=/opt/jcdx/sbin/SecureSyslog (hostname=?, addr=?, terminal=? res=failed)'
The important part of this event for a reviewer is the 'msg=' info.
I cannot see a way to get this info in the audit-viewer. I tried adding this field into the columns as a test but nothing showed up there either.
Thanks for your report.
The generic format of audit records is supposed to be: space-separated ''name''=''value'' pairs, neither ''name'' nor ''value'' containing a space character. The message in msg='...' therefore does not define any fields that could be displayed by audit-viewer.
(Yes, the design of the format and the way it is used in practice are quite inconsistent. You must have noticed the discussions on linux-audit.)
audit-viewer only works with the name=value pairs; I'd like to modify libauparse to parse the legacy records into a well-defined set of ''name''=''value'' fields, but that's not something I plan to fix in audit-viewer.
Metadata Update from @mitr:
- Issue assigned to mitr
to comment on this ticket.