* (no subject)
@ 2007-11-02 16:21 Bill Tangren
2007-11-02 16:37 ` aureport output Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Bill Tangren @ 2007-11-02 16:21 UTC (permalink / raw)
To: Linux-audit
I am running audit-1.0.15-3.EL4 on a RHEL ES 4 system, fully patched. I am
trying to learn the meaning of the output of aureport. For example, if I
want to look at failed events, could you tell me what the following means?
That is, how do I know from this what is failing, and why?
[root@doggett ~]# /sbin/aureport -e --failed -ts yesterday 00:00:00 -te
today 00:00:00
Event Report
===========================
# date time event type auid
===========================
1. 11/01/2007 12:00:00 AM 5844794 SYSCALL -1
TIA,
Bill Tangren
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: aureport output
2007-11-02 16:21 (no subject) Bill Tangren
@ 2007-11-02 16:37 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2007-11-02 16:37 UTC (permalink / raw)
To: linux-audit
On Friday 02 November 2007 12:21:26 pm Bill Tangren wrote:
> Event Report
> ===========================
> # date time event type auid
> ===========================
> 1. 11/01/2007 12:00:00 AM 5844794 SYSCALL -1
The event report is to give you an idea about the distribution of events
occurring on your system. In this case, its a syscall that is failing. To see
the actual record, use "ausearch -ts 11/01/2007 12:00:00 -te 11/01/2007
12:00:01 -a 5844794 -i"
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-11-02 16:37 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-11-02 16:21 (no subject) Bill Tangren
2007-11-02 16:37 ` aureport output Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.