Re: excluding auditd events

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: LC Bruzenak <lenny@magitekltd.com>
To: Mr Dash Four <mr.dash.four@googlemail.com>
Cc: Linux Audit <linux-audit@redhat.com>
Subject: Re: excluding auditd events
Date: Wed, 01 Jun 2011 09:08:19 -0500	[thread overview]
Message-ID: <1306937299.2072.21.camel@lcb> (raw)
In-Reply-To: <4DE6369F.9070103@googlemail.com>

> So, it turns out that apart from the human-like date description like 
> "yesterday" and "today", ausearch only accepts 2-digit years! I thought 
> we have long-passed these Y2K-related issues - that is so 1999. That is 
> assuming I didn't mess things up, which is also a possibility, of 
> course! The error messages I was getting above did not help my cause either!

Too bad on not using mock; it is in my experience easier than grabbing
pieces needed and certainly easier when those pieces get revised.

You must have read the ausearch man page which describes the date usage
and subsequently followed the pointer to the localtime man page. The
dates work as described in those pages:

$ sudo ausearch -ts 05/30/2011 | less  
works fine for me on FC10 & RHEL6.

Look at your system time - is it correct?
Use the "date" command.
Check your LC_TIME ENV variable.

> -bash-4.1# ausearch -m AVC -ts "05/26/11" | more <- works!

$ sudo ausearch -m AVC -ts "05/26/11"
Error - year is 11

This also is the same for me on FC10 & RHEL6 (audit-1.7.16 and
audit-2.1-5 respectively) . So my guess is your LC_TIME or locale value
is set for 2-digit dates or something alone those lines. The "date"
command should yield a clue, especially "date +%x".

LCB
-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

next prev parent reply	other threads:[~2011-06-01 14:08 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-05-26  0:22 excluding auditd events Mr Dash Four
     [not found] ` <201105260802.21606.sgrubb@redhat.com>
2011-05-26 13:16   ` Mr Dash Four
2011-05-26 13:50     ` Steve Grubb
2011-05-26 14:07       ` Mr Dash Four
2011-05-26 14:16         ` Steve Grubb
2011-05-26 14:23           ` Mr Dash Four
2011-05-26 14:33             ` Steve Grubb
2011-05-26 15:22               ` Mr Dash Four
2011-05-26 15:51                 ` LC Bruzenak
2011-05-26 16:10                   ` Mr Dash Four
2011-06-01 12:54           ` Mr Dash Four
2011-06-01 14:08             ` LC Bruzenak [this message]
2011-06-01 14:47               ` Mr Dash Four

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1306937299.2072.21.camel@lcb \
    --to=lenny@magitekltd.com \
    --cc=linux-audit@redhat.com \
    --cc=mr.dash.four@googlemail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox