From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: How to read audit log?
Date: Tue, 25 Sep 2007 13:02:46 -0400
Message-ID: <200709251302.47171.sgrubb@redhat.com>
References: <Pine.GSO.4.64L.0709250917510.2611@mint-square.mit.edu>
	<200709251102.32720.sgrubb@redhat.com>
	<1190738632.22109.54.camel@code.and.org>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1190738632.22109.54.camel@code.and.org>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: James Antill <jantill@redhat.com>
Cc: linux-audit@redhat.com, "Wieprecht, Karen M." <Karen.Wieprecht@jhuapl.edu>
List-Id: linux-audit@redhat.com

On Tuesday 25 September 2007 12:43:52 James Antill wrote:
> > Yes. It would let you write an app that is more efficient than using =
perl
> > on ausearch output.
>
> =C2=A0That's not really true,

Sure it is. perl cannot do the interpretations. So you'd have to spend ti=
me=20
writing all that code and maintain it or use ausearch to provide you that=
=20
functionality.

> =C2=A0and when it is true it's only because ausearch is so slow at doin=
g "cat":

It does a lot more than "cat". For example, it understands the ordering=20
requirements of the logs and searches them in the correct order. It also=20
assembles the records into an event before presenting them. It interprets=
=20
some of the data so that its more usable even if you don't ask for a full=
=20
interpretation.

-Steve