From owner-freebsd-questions@FreeBSD.ORG Tue Jan 27 20:50:11 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 810FB106564A for ; Tue, 27 Jan 2009 20:50:11 +0000 (UTC) (envelope-from martinbadie@yahoo.com) Received: from n13.bullet.mail.mud.yahoo.com (n13.bullet.mail.mud.yahoo.com [68.142.206.40]) by mx1.freebsd.org (Postfix) with SMTP id 3C0AE8FC21 for ; Tue, 27 Jan 2009 20:50:11 +0000 (UTC) (envelope-from martinbadie@yahoo.com) Received: from [209.191.108.97] by n13.bullet.mail.mud.yahoo.com with NNFMP; 27 Jan 2009 20:37:41 -0000 Received: from [76.13.13.25] by t4.bullet.mud.yahoo.com with NNFMP; 27 Jan 2009 20:37:41 -0000 Received: from [76.13.10.168] by t4.bullet.mail.ac4.yahoo.com with NNFMP; 27 Jan 2009 20:37:41 -0000 Received: from [127.0.0.1] by omp109.mail.ac4.yahoo.com with NNFMP; 27 Jan 2009 20:37:41 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 772635.44521.bm@omp109.mail.ac4.yahoo.com Received: (qmail 55662 invoked by uid 60001); 27 Jan 2009 20:37:41 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=w2fAI+/Guj5zogaEQXNuKhEtyRm9x+wYjRax1fW7HSs+WYfWJ2oggZScnQ15EMwm2kgsUF0lbD3hdyGsdpHlnrAGw4xpETl7O2SJum+9CM8fV/YcI+7kvvkgX/tFUZ0TEd/RwGO4Vck3zSlf1upjvksDAFRI/l8uSN/UpxVFo0A=; X-YMail-OSG: 9oEPxrwVM1kfmdkBiqZEC57LROG2bBXp1wisq_PJpPDMT8xrt36nPvhp4YvLF1fLO1wZOIxzrpM_mKDHMS4_jRa17EbkZ7DC.qUgGgSF3DaSPZYi3604xfOm5e8qrhGTdg0RNJ3IHc2MOl7yq058MTul6Dk- Received: from [85.108.205.8] by web59906.mail.ac4.yahoo.com via HTTP; Tue, 27 Jan 2009 12:37:41 PST X-Mailer: YahooMailRC/1155.45 YahooMailWebService/0.7.260.1 Date: Tue, 27 Jan 2009 12:37:41 -0800 (PST) From: Martin Badie To: freebsd-questions@freebsd.org MIME-Version: 1.0 Message-ID: <699775.55525.qm@web59906.mail.ac4.yahoo.com> Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: audit not working X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2009 20:50:12 -0000 Hi, I am trying to have audit logs but i can't and frankly I couldn't able to find out what is wrong with my conf files: audit_control: dir:/var/audit flags:lo,+ex minfree:20 naflags:lo policy:cnt,argv filesz:0 audit_warn: logger -p security.warning "audit warning: $@" # # Compress audit trail files on close. # if [ "$1" = closefile ]; then gzip -9 $2 fi my audit_user file is empty and all other 2 files are untouched. But only line I get is: header,93,10,audit startup,0,Tue Jan 27 22:34:14 2009, + 916 msec subject,root,root,wheel,root,wheel,1571,1571,0,0.0.0.0 text,auditd::Audit startup return,success,0 trailer,93 praudit /dev/auditpipe also doesn't give me real time logs. One last point is that sometimes with the configuration above i get some command execution lines but not all of them so I could't figure out what is wrong with my config. I appreciate if someone in this list can help me. Regards.