Title
#fim
clong

clong

11/08/2018, 10:39 PM
so, just to be clear, you cannot run auditd and osquery (with auditing enabled) at the same time and have audit events go to both of them
s

shed7

11/09/2018, 9:21 AM
Yep, sorry should have been clearer. Because I had
audit_debug
as a flag, osquery was logging the auditd type records, but there were no osquery json logs of the same events, and as I said
auditctl -s
said it was osquery who had the handle on the socket