From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: ausearch question
Date: Thu, 01 May 2008 13:11:19 -0500
Message-ID: <1209665479.6930.41.camel@homeserver>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m41IBkrJ009891
	for <linux-audit@redhat.com>; Thu, 1 May 2008 14:11:46 -0400
Received: from magi (rrcs-24-242-137-197.sw.biz.rr.com [24.242.137.197])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m41IBZAO006173
	for <linux-audit@redhat.com>; Thu, 1 May 2008 14:11:35 -0400
Received: from [24.242.137.194] (helo=[192.168.30.40])
	by magi with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.63) (envelope-from <lenny@magitekltd.com>)
	id 1JrdE6-0006QE-Rs
	for linux-audit@redhat.com; Thu, 01 May 2008 13:09:50 -0500
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

I was wondering what a "-ts now" would return from my audit data.
I thought maybe it would be similar to a "tail" of the data, but that's
not what I got.

Is this what you'd expect?:

[root@hugo ~]# date ; ausearch -i -ts now --just-one
Thu May  1 14:05:10 EDT 2008
----
type=DAEMON_START msg=audit(05/01/2008 09:14:40.029:3602) : auditd
start, ver=1.7.2 format=raw kernel=2.6.25-1.fc9.x86_64 auid=unset
pid=2003 res=success 


Most of the relevant data is in the record, however:
[root@hugo ~]# uname -a
Linux hugo 2.6.25-1.fc9.x86_64 #1 SMP Thu Apr 17 01:11:31 EDT 2008
x86_64 x86_64 x86_64 GNU/Linux

[root@hugo ~]# rpm -qa | grep audit
audit-libs-1.7.2-6.fc9.i386
audit-1.7.2-6.fc9.x86_64
audit-libs-python-1.7.2-6.fc9.x86_64
audit-libs-devel-1.7.2-6.fc9.x86_64
audit-libs-devel-1.7.2-6.fc9.i386
audit-libs-1.7.2-6.fc9.x86_64

Thx,
LCB.
-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com