From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: aureport question Date: Wed, 23 Dec 2009 09:34:21 -0500 Message-ID: <200912230934.21352.sgrubb@redhat.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from x2.localnet (vpn-10-233.rdu.redhat.com [10.11.10.233]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id nBNEYiPX003996 for ; Wed, 23 Dec 2009 09:34:44 -0500 In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Sunday 20 December 2009 04:10:29 pm LC Bruzenak wrote: > The aureport utility has an option to use an alternative input file. Right. This is to override the directory setting that it gets from auditd.conf. > Because I have to move my logs, I really need an alternative input > directory, preferably a starting point, since my saved logs are: > /var/log/audit-archive/// . > Then I could do "aureport --topdir /var/log/audit-archive/2009/12 " > and get all the 12/2009 events up to now. > > What do you think? This trick doesn't work any more? https://www.redhat.com/archives/linux-audit/2009-August/msg00031.html You could do cat `ls /var/log/audit-archive////a* | sort -r` | aureport and it should work. > I thought about creating a different flat directory and just linking > the files I want, however I do not think the current options will > allow this either. I guess that would be the easiest change though, to > allow the -if parameter to be a directory or a file. I suppose that could be done. But whatever we do in aureport, we need to do to ausearch since they share a lot of code and design. -Steve