aureport header question

aureport header question

[LC Bruzenak]

Steve (et. al.):

I still see the aureport error (below).
Has this been addressed in any patches in the V 2 audit release?

Good example:
[issm1@audit ~]$ sudo aureport -ts yesterday -i --summary

Summary Report
======================
Range of time in logs: 03/25/2010 00:01:02.160 - 03/25/2010 15:26:29.341
Selected time for report: 03/24/2010 00:00:00 - 03/25/2010 15:26:29.341

[issm1@audit ~]$ date
Thu Mar 25 16:10:11 UTC 2010

Bad example (note "Range of time in logs" line):
[issm1@audit ~]$ sudo aureport -ts yesterday -te 03/25/2010 00:00:00
-i --summary

Summary Report
======================
Range of time in logs: 01/01/1970 00:00:00.000 - 01/01/1970 00:00:00.000
Selected time for report: 03/24/2010 00:00:00 - 03/25/2010 00:00:00


Thx,
LCB.


-- 
LC (Lenny) Bruzenak

Re: aureport header question

[LC Bruzenak]

On Thu, Mar 25, 2010 at 4:13 PM, LC Bruzenak <lenny@magitekltd.com> wrote:
> Steve (et. al.):
>
> I still see the aureport error (below).
> Has this been addressed in any patches in the V 2 audit release?
>
Never mind; I see the issue. There are no events. Sorry for the bother.

LCB.

-- 
LC (Lenny) Bruzenak

Re: aureport header question

[LC Bruzenak]

OK, let me try again.

1st summarize all in the dir (minor - time precision varies on report
time start/ends):
[root@audit tmp]# aureport -if audit-mirror/ -i --summary

Summary Report
======================
Range of time in logs: 03/23/2010 16:30:17.279 - 03/26/2010 01:58:02.255
Selected time for report: 03/23/2010 16:30:17 - 03/26/2010 01:58:02.255
...

2nd see events from yesterday through now (range of time in logs isn't
accurate as shown above; same files are there):
[root@audit tmp]# aureport -if audit-mirror/ -i --summary -ts
yesterday -te today

Summary Report
======================
Range of time in logs: 03/25/2010 00:01:01.519 - 03/26/2010 01:58:02.255
Selected time for report: 03/25/2010 00:00:00 - 03/26/2010 01:58:53
...

Now see the issue I was trying to illustrate earlier (ending time of
range in logs; there are definitely events there in that timeframe) :
[root@audit tmp]# aureport -if audit-mirror/ -i --summary -ts
yesterday -te 03/26/2010 00:00:00

Summary Report
======================
Range of time in logs: 03/25/2010 00:01:01.519 - 01/01/1970 00:00:00.000
Selected time for report: 03/25/2010 00:00:00 - 03/26/2010 00:00:00
Number of changes in configuration: 234
Number of changes to accounts, groups, or roles: 0
Number of logins: 7
Number of failed logins: 146
...

And this is the issue I was questioning.
Do you think it has been addressed already by possibly newer code than
I have (1.7.16)?

Thx,
LCB.
-- 
LC (Lenny) Bruzenak

Re: aureport header question

[Steve Grubb]

On Thursday 25 March 2010 10:35:57 pm LC Bruzenak wrote:
> Now see the issue I was trying to illustrate earlier (ending time of
> range in logs; there are definitely events there in that timeframe) :
> [root@audit tmp]# aureport -if audit-mirror/ -i --summary -ts
> yesterday -te 03/26/2010 00:00:00

aureport/search aborts processing an event if the parsing is wrong. There may 
be some records with formats that do not match. You might try getting the logs 
smaller and smaller until you get a few that reproduce the problem.
 
> And this is the issue I was questioning.
> Do you think it has been addressed already by possibly newer code than
> I have (1.7.16)?

1.7.17 is the latest. I don't think it addresses this issue.

-Steve