From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Mather <michael.mather@teksavvy.com>
Subject: Output of aureport in columns
Date: Thu, 12 Jul 2012 16:26:25 -0400
Message-ID: <1342124785.2463.15.camel@debian.domain_name>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com
	[10.5.110.18])
	by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id q6CKQUWA022064
	for <linux-audit@redhat.com>; Thu, 12 Jul 2012 16:26:31 -0400
Received: from ironport2-out.teksavvy.com (ironport2-out.teksavvy.com
	[206.248.154.182])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q6CKQTQq019861
	for <linux-audit@redhat.com>; Thu, 12 Jul 2012 16:26:29 -0400
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hi,

I have managed to find an easy way to put the output of aureport into
neat columns. For example:

aureport -i -f | sed 's/=====/==== /g' | column -t

However, if I combine this with ausearch, as in:

ausearch -k ROOT |aureport -i -f | sed .....

then some lines come out properly and some have extra data that shifts
everything off. For example, here are two successive lines from the
output. The first has 9 fields and the second 15:

311. 12-07-12 16:21:03 /proc/self/loginuid open yes /usr/bin/sudo mm 597
312. 12-07-12 16:21:03 (null) inode=970 dev=08:01 mode=0100755 ouid=0
ogid=0 rdev=00:00 execve yes /sbin/aureport root 599

What is happening?

Thanks - Michael Mather
-----------------------