On Tue, 2007-09-25 at 11:02 -0400, Steve Grubb wrote: > > I would really like to see a sample of what the auparse output looks > > like. I have a Perl script that sucks the output of ausearch into a > > key-value hash table from which I have other code that determines how to > > print this in a human friendly format, but I'm wondering if auparse > > can replace that or if all it does for me is to get the information into > > the key-value hash table so I can decide how I want to format the output > > Yes. It would let you write an app that is more efficient than using perl on > ausearch output. That's not really true, and when it is true it's only because ausearch is so slow at doing "cat": # time fgrep USER_LOGIN /var/log/audit/* fgrep USER_LOGIN /var/log/audit/* 0.01s user 0.01s system 97% cpu 0.017 total # time perl -ne '/^type=USER_LOGIN msg=audit\((\d+).* auid=(\d*).*\Whostname=(\w*).*\Wterminal=(\S*).*\Wres=success\W/ && print localtime($1) . " - $2 - $3:$4\n"' /var/log/audit/* > /dev/null perl -ne /var/log/audit/* 0.06s user 0.01s system 99% cpu 0.074 total # time ausearch -m USER_LOGIN -i | perl -ne '/^type=USER_LOGIN msg=audit\(([^)]+).* auid=(\d*).*\Whostname=(\w*).*\Wterminal=(\S*).*\Wres=success\W/ && print "$1 - $2 - $3:$4\n"' > /dev/null ausearch -m USER_LOGIN -i 0.28s user 0.01s system 99% cpu 0.288 total perl -ne 0.00s user 0.00s system 1% cpu 0.288 total # time ./lastlog_audit > /dev/null ./lastlog_audit 0.54s user 0.01s system 99% cpu 0.557 total # time ausearch -i | perl -ne '/^type=USER_LOGIN msg=audit\(([^)]+).* auid=(\d*).*\Whostname=(\w*).*\Wterminal=(\S*).*\Wres=success\W/ && print "$1 - $2 - $3:$4\n"' > /dev/null ausearch -i 1.61s user 0.75s system 98% cpu 2.388 total perl -ne 0.11s user 0.05s system 6% cpu 2.386 total ...the lastlog_audit is the obvious implementation using your prodived code as a starting point: http://people.redhat.com/jantill/lastlog_audit.c -- James Antill