From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: ausearch question Date: Fri, 2 May 2008 10:06:23 -0400 Message-ID: <200805021006.23950.sgrubb@redhat.com> References: <1209665479.6930.41.camel@homeserver> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1209665479.6930.41.camel@homeserver> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday 01 May 2008 14:11:19 LC Bruzenak wrote: > I was wondering what a "-ts now" would return from my audit data. What's in the audit logs starting now. aureport uses the exact same code as ausearch for time operations, so its more informative to use it to see what time is actually resolved from these keywords. I get: Summary Report ====================== Range of time in logs: 04/25/2008 09:31:10.388 - 05/02/2008 09:57:20.859 Selected time for report: 05/02/2008 00:00:00 - 05/02/2008 09:57:20.859 Which is clearly wrong. This looks like its resolving to today instead of now. I expect ausearch --start now to return nothing unless the system is busy doing a lot of logging and you get records between the time it gets system time until the time it opens the last log file for reading. > I thought maybe it would be similar to a "tail" of the data, but that's > not what I got. No, tail is not easy to do. Patches are welcome if anyone wants to do it. But you can do: tail -f /var/log/audit/audit.log | ausearch -i if you wanted that. -Steve