Archiving audits daily - Ed Christiansen

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Ed Christiansen <edwardc@ll.mit.edu>
To: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Archiving audits daily
Date: Sat, 18 Oct 2008 10:58:19 -0400	[thread overview]
Message-ID: <48F9F98B.8030207@ll.mit.edu> (raw)
In-Reply-To: <48F61221.2050509@redhat.com>

Greetings,

I have a requirement to archive audits daily.  I can use the
audit tools to get all the records for a single day:

ausearch -ts 10/16/2008 00:00:00 -te 10/16/2008 23:59:60

but this returns a processed log entry.  I would like the
resulting event data to be in exactly the same format as the
original file instead so the ausearch and aureport tools
can be run directly on the resulting data file.  When I try
it with the ausearch data I get weird date results for the
start date.  I would have guessed at -u for unprocessed,
or -r for raw, but I don't see an option like this.  Is there
a way to accomplish this that I am missing?

Thanks in advance,
_____  ______________
\   / /__________   /
  | |  .  ...  .  | |    Ed Christiansen
  | | : ..   .. : | |    Group 93 ISSO/IT Team Lead
  | | .   ...   . | |
  | | : ..   .. : | |    MIT Lincoln Laboratory - Building S
  | |  ..  .  ..  | |    244 Wood St
  | | . ..   .. . | |    Lexington MA  02420-9185
  | | :.  ...  .: | |
  | | . ..  ..  . | |
  | |  .  ...  .  | |
  | |___________  | |
/_____________/ /___\

next prev parent reply	other threads:[~2008-10-18 14:59 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-10-15 15:54 A modular auditd Matthew Booth
2008-10-18 14:58 ` Ed Christiansen [this message]
2008-10-18 15:28   ` Archiving audits daily Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48F9F98B.8030207@ll.mit.edu \
    --to=edwardc@ll.mit.edu \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox