From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: Re: buffer space
Date: Mon, 17 Aug 2009 12:24:31 -0500
Message-ID: <1250529871.3048.706.camel@homeserver>
References: <OF353CD1BD.0E9A8BA7-ON85257611.004F634D-85257611.00521D7B@us.ibm.com>
	<200908131428.52924.sgrubb@redhat.com>
	<OF5956BB72.51CBF8D6-ON85257615.004E4644-85257615.005179A7@us.ibm.com>
	<200908171108.00417.sgrubb@redhat.com>
	<OF38D7A3B6.53926BC4-ON85257615.00596C69-85257615.005B61DB@us.ibm.com>
	<1250527972.3048.693.camel@homeserver>
	<OF8178196E.5DEEC785-ON85257615.005D937A-85257615.005DEF69@us.ibm.com>
	<1250529356.3048.700.camel@homeserver>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n7HHOlQM029419
	for <linux-audit@redhat.com>; Mon, 17 Aug 2009 13:24:47 -0400
Received: from mail.magitekltd.com (rrcs-24-242-137-197.sw.biz.rr.com
	[24.242.137.197])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n7HHOWRA031789
	for <linux-audit@redhat.com>; Mon, 17 Aug 2009 13:24:32 -0400
In-Reply-To: <1250529356.3048.700.camel@homeserver>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: David Flatley <dflatley@us.ibm.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


On Mon, 2009-08-17 at 12:15 -0500, LC Bruzenak wrote:
> On Mon, 2009-08-17 at 13:06 -0400, David Flatley wrote:
> > Lenny:
> > 
> > I was going to move the rotated logs into /home/logs and use "ausearch
> > -i -f /home/logs".
> > 
> > 
> > David Flatley CISSP
> > 
> > 
> 
> David,
> 
> It won't work like that; exactly the issue I described:
> 
> [root@slim root]# mkdir logs-test
> [root@slim root]# cd !$
> cd logs-test
> [root@slim logs-test]# auditctl -m "TEST message"
> [root@slim logs-test]# service auditd rotate
> Rotating logs:                                             [  OK  ]
> [root@slim logs-test]# cp /var/log/audit/audit.log.1 .
> [root@slim logs-test]# ausearch -i -f `pwd` -m USER
> <no matches>
> [root@slim logs-test]# grep TEST audit.log.1
> node=slim type=USER msg=audit(1250529052.265:305135): user pid=8191
> uid=0 auid=500 ses=4172 subj=user_u:user_r:user_t:s0 msg='TEST message:
> exe="/sbin/auditctl" (hostname=?, addr=?, terminal=pts/18 res=success)'
> 
> 
> LCB.
> 

David,

I should have been more diligent. The input switch was supposed to be
"-if" IIUC. The "-f" switch is looking for a filename inside the record.

[root@slim logs-test]# ausearch -i -if `pwd` -m USER
<no matches>

[root@slim logs-test]# ausearch -i -if `pwd`/audit.log.1  -m USER
...
----
node=slim type=USER msg=audit(08/17/2009 12:10:52.265:305135) : user
pid=8191 uid=root auid=lcb ses=4172 subj=user_u:user_r:user_t:s0
msg='TEST message: exe=/sbin/auditctl (hostname=?, addr=?,
terminal=pts/18 res=success)' 
...

This is what you want to do right - search inside a directory other
than /var/log/audit with multiple audit logs inside the directory?

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com