ausearch from cron

ausearch from cron

[Kurt S Harris]

When I run an ausearch from a cron in RedHat 5.1 I don't get any output, 
running the same command from the command line I get results.  Any ideas 
on what I'm missing?

output:
<no matches>
May 29 09:36:01 magenta last message repeated 3 times
May 29 09:36:01 magenta logger: AuditSearch: -ts 09:35:00 -te 09:36:00
May 29 09:36:01 magenta logger:

crontab:
* * * * 1-5 /usr/sbin/logaudit >> /var/log/messages 2>>/var/log/messages

logaudit:
#!/bin/bash
logaudit(){
ctime=$(/bin/date '+%T')
min=$(echo ${ctime}|cut -f2 -d:)
if [ "${min}" = "00" ];then
        Args=$(echo ${ctime} | /bin/awk -F : '{print "-ts "$1 -1 ":59:00 
-te "$1":"$2":00"}')
else
        Args=$(echo ${ctime} | /bin/awk -F : '{print "-ts "$1":" $2 - 1 
":00 -te "$1":"$2":00"}')
fi
echo -e "\nAuditSearch:" $Args
/sbin/ausearch ${Args} -i >> /var/log/messages 2>>/var/log/messages
echo -e "\n\n"

}

logaudit | /usr/bin/logger -p auth.alert

Re: ausearch from cron

[Steve Grubb]

On Thursday 29 May 2008 11:37:27 Kurt S Harris wrote:
> When I run an ausearch from a cron in RedHat 5.1 I don't get any output,
> running the same command from the command line I get results.  Any ideas
> on what I'm missing?

You should upgrade to the audit package in RHEL5.2 where this has been fixed. 
You would then add the --input-logs commandline option to force it to use the 
logs instead of stdin.

-Steve