From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: ausearch
Date: Sat, 17 Oct 2009 12:05:49 -0400
Message-ID: <200910171205.49922.sgrubb@redhat.com>
References: <04F7A41038AF32428FFDDACD8E68B7070E9FB2D3F3@ACDSSDMAILSRV01.acd.de.ittind.com>
	<04F7A41038AF32428FFDDACD8E68B7070E9FB2D45A@ACDSSDMAILSRV01.acd.de.ittind.com>
Mime-Version: 1.0
Content-Type: Text/Plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <04F7A41038AF32428FFDDACD8E68B7070E9FB2D45A@ACDSSDMAILSRV01.acd.de.ittind.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: "Pittigher, Raymond - CS" <Raymond.Pittigher@itt.com>
List-Id: linux-audit@redhat.com

On Friday 16 October 2009 06:25:42 pm Pittigher, Raymond - CS wrote:
> I see that the -w or --word switch was added to the ausearch but how it it
>  used?

It is used in addition to other matching. If you were to try this search:

ausearch --start today -f va

it will match any file that has va anywhere in it - for example /var/run would 
match. But if you change it to this:

ausearch --start today  -f va   -w

now, /var/run would no longer match. It would insist on the whole file path to 
be va.


> But I have been trying
> 
> ausearch -w failed and variation of that but only get the message

You would just use  "ausearch -sv no" to find failed records. Some search 
options do not do partial matches. The -w option does not take an argument.
 
-Steve