* (no subject)
@ 2007-11-02 16:21 Bill Tangren
2007-11-02 16:37 ` aureport output Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Bill Tangren @ 2007-11-02 16:21 UTC (permalink / raw)
To: Linux-audit
I am running audit-1.0.15-3.EL4 on a RHEL ES 4 system, fully patched. I am
trying to learn the meaning of the output of aureport. For example, if I
want to look at failed events, could you tell me what the following means?
That is, how do I know from this what is failing, and why?
[root@doggett ~]# /sbin/aureport -e --failed -ts yesterday 00:00:00 -te
today 00:00:00
Event Report
===========================
# date time event type auid
===========================
1. 11/01/2007 12:00:00 AM 5844794 SYSCALL -1
TIA,
Bill Tangren
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: aureport output
2007-11-02 16:21 (no subject) Bill Tangren
@ 2007-11-02 16:37 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2007-11-02 16:37 UTC (permalink / raw)
To: linux-audit
On Friday 02 November 2007 12:21:26 pm Bill Tangren wrote:
> Event Report
> ===========================
> # date time event type auid
> ===========================
> 1. 11/01/2007 12:00:00 AM 5844794 SYSCALL -1
The event report is to give you an idea about the distribution of events
occurring on your system. In this case, its a syscall that is failing. To see
the actual record, use "ausearch -ts 11/01/2007 12:00:00 -te 11/01/2007
12:00:01 -a 5844794 -i"
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-11-02 16:37 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-11-02 16:21 (no subject) Bill Tangren
2007-11-02 16:37 ` aureport output Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).