Artem
04/14/2021, 1:49 PMauditdnetlink.cpp:647] Failed to set the netlink owner
But, i don't have auditd in my OS.
This is my conf
"options": {
"audit_allow_config": "true",
"audit_allow_fim_events": "true",
"audit_allow_sockets": "true",
"audit_fim_show_accesses": "true",
"enable_file_events": "true",
"disable_events": "false",
"audit_persist": "false",
"disable_audit": "false",
"audit_allow_process_events": "true",
"pack_delimiter": "/",
"config_plugin": "filesystem"
},
Whai is my error? could anyone help pls?Mike Myers
04/14/2021, 3:36 PMArtem
04/14/2021, 3:39 PMMike Myers
04/14/2021, 3:41 PMauditd
using it, but I don't know how to check this exactly. @alessandrogario do you know a way?alessandrogario
04/14/2021, 3:43 PMArtem
04/14/2021, 3:44 PMMike Myers
04/14/2021, 3:44 PMalessandrogario
04/14/2021, 3:46 PMps aux | grep audit
should only show the kernel serviceMike Myers
04/14/2021, 3:47 PMaudit_open
successfully)Artem
04/14/2021, 3:56 PMI0414 18:51:54.292611 7985 auditdnetlink.cpp:329] Attempting to configure the audit service
I0414 18:51:54.292675 7985 auditdnetlink.cpp:357] Enabling audit rules for the process_events (execve, execveat) table
I0414 18:51:54.292701 7985 auditdnetlink.cpp:384] Enabling audit rules for the process_file_events tableE0414 18:53:11.438526 7970 eventsubscriberplugin.cpp:644] Found 43 invalid events (43 have been successfully erased)
I see records in process_events tables. But process_file_events is empty, why?(((Mike Myers
04/14/2021, 4:10 PMArtem
04/14/2021, 8:21 PMalessandrogario
04/15/2021, 7:35 AMArtem
04/15/2021, 7:44 AM