From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Q: audit log rotation. Date: Tue, 18 Apr 2006 14:48:08 -0400 Message-ID: <200604181448.08606.sgrubb@redhat.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: The UnSeen List-Id: linux-audit@redhat.com On Tuesday 18 April 2006 12:54, The UnSeen wrote: > Is there a way to dictate the format of naming convention of the rotated > logfiles to better reflect the date range of the data contained in the > file instead of simply audit.log.1, audit.log.2, etc? No. But you can easily cobble something together to do it. BTW, "aureport -t" will give you the time ranges. > Also, it would be nice (if it doesn't exist already) to have a way to do > audit reductions 1 event on a line instead of X lines for an event. I suspect that will get messy. You can have a lot of information without a visual cue to help decipher what you are looking at. Have you played around with aureport ? It was intended to give something more concise, 1 event per line. It also gives everything you need to track down the event in the audit logs if you need more information. But just in case you want to see it: ausearch -ts 1:00:00 | grep -v 'time->' | tr '\n' ' ' | sed -e 's/----/\n/g' to get the events since 1 am, one per line. -Steve