Re: aureport question

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: aureport question
Date: Wed, 23 Dec 2009 09:34:21 -0500	[thread overview]
Message-ID: <200912230934.21352.sgrubb@redhat.com> (raw)
In-Reply-To: <cecd18b00912201310x252c6536j4509f4f6dedf5817@mail.gmail.com>

On Sunday 20 December 2009 04:10:29 pm LC Bruzenak wrote:
> The aureport utility has an option to use an alternative input file.

Right. This is to override the directory setting that it gets from 
auditd.conf.

> Because I have to move my logs, I really need an alternative input
> directory, preferably a starting point, since my saved logs are:
> /var/log/audit-archive/<YEAR>/<MONTH>/<DAY> .
> Then I could do "aureport --topdir /var/log/audit-archive/2009/12 "
> and get all the 12/2009 events up to now.
> 
> What do you think?

This trick doesn't work any more?
https://www.redhat.com/archives/linux-audit/2009-August/msg00031.html

You could do 
cat `ls /var/log/audit-archive/<YEAR>/<MONTH>/<DAY>/a* | sort -r` | aureport
and it should work.

> I thought about creating a different flat directory and just linking
> the files I want, however I do not think the current options will
> allow this either. I guess that would be the easiest change though, to
> allow the -if parameter to be a directory or a file.

I suppose that could be done. But whatever we do in aureport, we need to do to 
ausearch since they share a lot of code and design.

-Steve

     prev parent reply	other threads:[~2009-12-23 14:34 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-12-20 21:10 aureport question LC Bruzenak
2009-12-23 14:34 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200912230934.21352.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.