From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: log files Date: Fri, 17 Jun 2011 14:38:25 -0400 Message-ID: <201106171438.25430.sgrubb@redhat.com> References: <6815A555A0B82148AEFE4966093BBBF5366DD7A644@USFWA1EXMBX3.itt.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <6815A555A0B82148AEFE4966093BBBF5366DD7A644@USFWA1EXMBX3.itt.net> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Friday, June 17, 2011 02:15:19 PM Pittigher, Raymond - ES wrote: > What do the users of this list use to read the log files? I have tried > Spacewalk (which is nice) but is a lot of software to install to read > logs. I have looked at Prewikka but do not have it totally configured yet > to give it a OK or not. The audit log files are intended to be read with ausearch. You can also use vi or less or emacs as long as you don't change anything. :) But ausearch has more knowledge about the logs and can make it easier to understand. The aureport tool can give columnar and summary information about the logs. It can also take the raw output of ausearch as input if you want to do anything fancy. (See the http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-005.pdf article about the audit system for examples of combining ausearch and aureport.) Aulast can tell you about login sessions and give you command line queries to extract information about a particular login session. (This is newer and not available in older audit package releases.) As for syslog and application log files, I'm sure there are a lot of tools. -Steve