Zdenek,
ausearch only searches /var/log/audit/audit.log with SYSCALL number listed
inside the audit.log
for example:
ausearch -i -sc 208
Thanks.
----henry
On Thu, Jun 1, 2023 at 8:13 AM Henry Zhang <henryzhang62(a)gmail.com> wrote:
Zdenek,
Would you please give a sample to run research to find out arch?
Thanks.
---henry
On Thu, Jun 1, 2023, 00:48 Zdenek Pytela <zpytela(a)redhat.com> wrote:
>
>
> On Wed, May 31, 2023 at 9:47 PM Henry Zhang <henryzhang62(a)gmail.com>
> wrote:
>
>> Hi folks,
>>
>> I want to analyze audit.log and see
>> arch=c00000b7 syscall=35
>>
>> Where can I find what c00000b7 and 35 mean respectively for arm64 device?
>>
> Hi,
>
> You'd better use the ausearch/aureport commands with the -i switch to
> interpret them.
>
> --
>
> Zdenek Pytela
> Security SELinux team
>