ausearch nodes option

ausearch nodes option

[LC Bruzenak]

On an audit collector machine, I (obviously) have data from different
hosts.
In an ausearch I would like to look for events from multiple hosts.
Ideally I would have multiple "-n <HOSTNAME>" entries which would return
events for any of the hosts.

The man page says that the options form an "and" statement. I find this
isn't the case with multiple hosts specified, but the result is the
"last host listed wins": 

[root@audit audit]# ausearch -i -n client3 -n client12 | grep client3 |
wc 
      0       0       0

[root@audit audit]# ausearch -i -n client12 -n client3 | grep client3 |
wc 
   2035   35292  529086

[root@audit audit]# ausearch -i -n client12 -n client3 | grep client12 |
wc 
      0       0       0

[root@audit audit]#  ausearch -i -n client3 -n client12 | grep client12
| wc 
   1709   29481  445211


I may patch my own ausearch to behave differently. I could just extract
them independently, however then I'd need to weave them back together
because I need the events to be sequential.

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: ausearch nodes option

[Steve Grubb]

On Friday 05 June 2009 10:07:02 am LC Bruzenak wrote:
> In an ausearch I would like to look for events from multiple hosts.
> Ideally I would have multiple "-n <HOSTNAME>" entries which would return
> events for any of the hosts.
>
> The man page says that the options form an "and" statement. I find this
> isn't the case with multiple hosts specified, but the result is the
> "last host listed wins":

ausearch has one and exactly one entry for each search option that you add to 
a command line. Two nodes don't work just as two files or two terminals don't 
work. It does however do a partial match. So you could have a naming scheme 
that allows search by subnet.

ausearch -n 192.168.1


> I may patch my own ausearch to behave differently.

If you patch yours, send it to the list.

-Steve

Re: ausearch nodes option

[LC Bruzenak]

On Fri, 2009-06-05 at 10:42 -0400, Steve Grubb wrote:
> On Friday 05 June 2009 10:07:02 am LC Bruzenak wrote:
> > In an ausearch I would like to look for events from multiple hosts.
> > Ideally I would have multiple "-n <HOSTNAME>" entries which would return
> > events for any of the hosts.
> >
> > The man page says that the options form an "and" statement. I find this
> > isn't the case with multiple hosts specified, but the result is the
> > "last host listed wins":
> 
> ausearch has one and exactly one entry for each search option that you add to 
> a command line. Two nodes don't work just as two files or two terminals don't 
> work. It does however do a partial match. So you could have a naming scheme 
> that allows search by subnet.
> 
> ausearch -n 192.168.1

OK; thanks.
This will not help me though, since the collector has multiple NICs on
different subnets and the hosts I need to extract are all on different
ones. So I end up with the same situation there.

> 
> 
> > I may patch my own ausearch to behave differently.
> 
> If you patch yours, send it to the list.

Will do.

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com