From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: audisp resend question
Date: Thu, 4 Dec 2008 13:45:45 -0500
Message-ID: <200812041345.45785.sgrubb@redhat.com>
References: <1228411289.14768.187.camel@homeserver>
	<200812041242.22792.sgrubb@redhat.com>
	<1228413174.14768.198.camel@homeserver>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from centaur.localnet (vpn-13-5.rdu.redhat.com [10.11.13.5])
	by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id mB4Ijgci007489
	for <linux-audit@redhat.com>; Thu, 4 Dec 2008 13:45:42 -0500
In-Reply-To: <1228413174.14768.198.camel@homeserver>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday 04 December 2008 12:52:54 LC Bruzenak wrote:
> > All audisp plugins take their data from stdin. You can pipe the raw
> > output of ausearch into audisp-remote and it should do the right thing.
>
> OK, works for me...the last sent message on the collector is
> identifiable, but do timestamps (with full precision) work as input to
> the "-ts" switch?

Not at this point. Ausearch always shows the converted time unless you do a --
raw.


> I don't know how to remove duplicates (probably not be an issue anyway).

Aureport is about the only thing that cares. Also, a duplicate 
boot/login/logout will also affect aulast.

-Steve