Re: log files - Steve Grubb

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: log files
Date: Fri, 17 Jun 2011 14:38:25 -0400	[thread overview]
Message-ID: <201106171438.25430.sgrubb@redhat.com> (raw)
In-Reply-To: <6815A555A0B82148AEFE4966093BBBF5366DD7A644@USFWA1EXMBX3.itt.net>

On Friday, June 17, 2011 02:15:19 PM Pittigher, Raymond - ES wrote:
> What do the users of this list use to read the log files? I have tried
> Spacewalk (which is nice) but is a lot of software to install to read
> logs. I have looked at Prewikka but do not have it totally configured yet
> to give it a OK or not.

The audit log files are intended to be read with ausearch. You can also use vi or less 
or emacs as long as you don't change anything. :)  But ausearch has more knowledge 
about the logs and can make it easier to understand. 

The aureport tool can give columnar and summary information about the logs. It can 
also take the raw output of ausearch as input if you want to do anything fancy. (See 
the http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-005.pdf article about the 
audit system for examples of combining ausearch and aureport.)

Aulast can tell you about login sessions and give you command line queries to extract 
information about a particular login session. (This is newer and not available in 
older audit package releases.)

As for syslog and application log files, I'm sure there are a lot of tools.

-Steve

     prev parent reply	other threads:[~2011-06-17 18:38 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-06-17 18:15 log files Pittigher, Raymond - ES
2011-06-17 18:27 ` LC Bruzenak
2011-06-17 18:32   ` Pittigher, Raymond - ES
2011-06-17 18:57     ` Dominick Grift
     [not found]     ` <1308337014.7213.10.camel@lcb>
2011-06-17 19:15       ` Pittigher, Raymond - ES
2011-06-17 19:56         ` LC Bruzenak
2011-06-17 21:33           ` Pittigher, Raymond - ES
2011-06-17 18:38 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201106171438.25430.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox