From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: ausearch question
Date: Fri, 2 May 2008 10:06:23 -0400 [thread overview]
Message-ID: <200805021006.23950.sgrubb@redhat.com> (raw)
In-Reply-To: <1209665479.6930.41.camel@homeserver>
On Thursday 01 May 2008 14:11:19 LC Bruzenak wrote:
> I was wondering what a "-ts now" would return from my audit data.
What's in the audit logs starting now. aureport uses the exact same code as
ausearch for time operations, so its more informative to use it to see what
time is actually resolved from these keywords. I get:
Summary Report
======================
Range of time in logs: 04/25/2008 09:31:10.388 - 05/02/2008 09:57:20.859
Selected time for report: 05/02/2008 00:00:00 - 05/02/2008 09:57:20.859
Which is clearly wrong. This looks like its resolving to today instead of now.
I expect ausearch --start now to return nothing unless the system is busy
doing a lot of logging and you get records between the time it gets system
time until the time it opens the last log file for reading.
> I thought maybe it would be similar to a "tail" of the data, but that's
> not what I got.
No, tail is not easy to do. Patches are welcome if anyone wants to do it. But
you can do:
tail -f /var/log/audit/audit.log | ausearch -i
if you wanted that.
-Steve
next prev parent reply other threads:[~2008-05-02 14:06 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-01 18:11 ausearch question LC Bruzenak
2008-05-02 14:06 ` Steve Grubb [this message]
-- strict thread matches above, loose matches on Subject: below --
2014-04-07 6:29 Burn Alting
2014-04-07 13:59 ` Steve Grubb
2014-04-07 15:53 ` Burn Alting
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200805021006.23950.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox