Hi Doug,
We use your excellent Auditd app and various TAs. It's geared for RHEL, which is understandable, but where applicable we use it with Ubuntu also.
For better or worse we are using "UFW" on Ubuntu. It appears practically impossible to permanently change the log prefix for built-in rules (we've spent considerable time investigating).
In the Linux Netfilter (iptables) Add-On documentation you say that we should add "ACTION=" with values ACCEPT, DROP or REJECT.
Could you please consider modifying your queries to also find "[UFW BLOCK]", "[UFW DROP]" or "[UFW REJECT]" so that it will just work with UFW? (I understand that UFW is the default on Ubuntu)
Thank you!
... View more