From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: The UnSeen <ian@south-border.com>
Subject: Re: Q: audit log rotation.
Date: Tue, 18 Apr 2006 14:48:08 -0400 [thread overview]
Message-ID: <200604181448.08606.sgrubb@redhat.com> (raw)
In-Reply-To: <Pine.GSO.4.60.0604181238270.18228@sandbox.south-border.com>
On Tuesday 18 April 2006 12:54, The UnSeen wrote:
> Is there a way to dictate the format of naming convention of the rotated
> logfiles to better reflect the date range of the data contained in the
> file instead of simply audit.log.1, audit.log.2, etc?
No. But you can easily cobble something together to do it. BTW, "aureport -t"
will give you the time ranges.
> Also, it would be nice (if it doesn't exist already) to have a way to do
> audit reductions 1 event on a line instead of X lines for an event.
I suspect that will get messy. You can have a lot of information without a
visual cue to help decipher what you are looking at. Have you played around
with aureport ? It was intended to give something more concise, 1 event per
line. It also gives everything you need to track down the event in the audit
logs if you need more information.
But just in case you want to see it:
ausearch -ts 1:00:00 | grep -v 'time->' | tr '\n' ' ' | sed -e 's/----/\n/g'
to get the events since 1 am, one per line.
-Steve
next prev parent reply other threads:[~2006-04-18 18:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-18 16:54 Q: audit log rotation The UnSeen
2006-04-18 18:26 ` Stephen John Smoogen
2006-04-18 18:48 ` Steve Grubb [this message]
2006-04-20 19:21 ` Mackay, Scott
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200604181448.08606.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=ian@south-border.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox