From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: auditing for RHEL ES4
Date: Fri, 16 Nov 2007 11:24:33 -0500
Message-ID: <200711161124.34339.sgrubb@redhat.com>
References: <4558.10.1.5.75.1195228480.squirrel@aa.usno.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <4558.10.1.5.75.1195228480.squirrel@aa.usno.navy.mil>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday 16 November 2007 10:54:40 Bill Tangren wrote:
> The reports always cover the entire range of available logs (sometimes
> gigabytes of data). The reports can take a LONG time to compile, and it
> doesn't give me the daily snapshot I need.

Use the -ts and -te commandline options to limit the report range. It requires 
the date format to be correct for your locale - iow   date "+%x %T". The 
older version does not support words like today or yesterday.


> I'm thinking of installing the latest tarball and compiling, as I understand
> more recent versions of aureport have implemented time limits.

The older one does, too.


> My question now is, is it possible to uninstall the prepackaged audit and
> audit-lib, and install the latest from source, without seriously hosing my
> system?

No, it will not work. RHEL4 (and derivatives) has to use the 1.0.X series of 
audit packages.

-Steve