aureport question

aureport question

[LC Bruzenak]

Steve,

The aureport utility has an option to use an alternative input file.
Because I have to move my logs, I really need an alternative input
directory, preferably a starting point, since my saved logs are:
/var/log/audit-archive/<YEAR>/<MONTH>/<DAY> .
Then I could do "aureport --topdir /var/log/audit-archive/2009/12 "
and get all the 12/2009 events up to now.

What do you think?

I thought about creating a different flat directory and just linking
the files I want, however I do not think the current options will
allow this either. I guess that would be the easiest change though, to
allow the -if parameter to be a directory or a file.

Thx,
LCB.

-- 
LC (Lenny) Bruzenak

Re: aureport question

[Steve Grubb]

On Sunday 20 December 2009 04:10:29 pm LC Bruzenak wrote:
> The aureport utility has an option to use an alternative input file.

Right. This is to override the directory setting that it gets from 
auditd.conf.

> Because I have to move my logs, I really need an alternative input
> directory, preferably a starting point, since my saved logs are:
> /var/log/audit-archive/<YEAR>/<MONTH>/<DAY> .
> Then I could do "aureport --topdir /var/log/audit-archive/2009/12 "
> and get all the 12/2009 events up to now.
> 
> What do you think?

This trick doesn't work any more?
https://www.redhat.com/archives/linux-audit/2009-August/msg00031.html

You could do 
cat `ls /var/log/audit-archive/<YEAR>/<MONTH>/<DAY>/a* | sort -r` | aureport
and it should work.

> I thought about creating a different flat directory and just linking
> the files I want, however I do not think the current options will
> allow this either. I guess that would be the easiest change though, to
> allow the -if parameter to be a directory or a file.

I suppose that could be done. But whatever we do in aureport, we need to do to 
ausearch since they share a lot of code and design.

-Steve