From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ed Christiansen <edwardc@ll.mit.edu>
Subject: Archiving audits daily
Date: Sat, 18 Oct 2008 10:58:19 -0400
Message-ID: <48F9F98B.8030207@ll.mit.edu>
References: <48F61221.2050509@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m9IEx3l1028692
	for <linux-audit@redhat.com>; Sat, 18 Oct 2008 10:59:03 -0400
Received: from ll.mit.edu (LLMAIL1.LL.MIT.EDU [129.55.12.41])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m9IEwr1D023032
	for <linux-audit@redhat.com>; Sat, 18 Oct 2008 10:58:53 -0400
Received: (from smtp@localhost) by ll.mit.edu (8.12.10/8.8.8) id m9IEwq5u029982
	for <linux-audit@redhat.com>; Sat, 18 Oct 2008 10:58:52 -0400 (EDT)
In-Reply-To: <48F61221.2050509@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Greetings,

I have a requirement to archive audits daily.  I can use the
audit tools to get all the records for a single day:

ausearch -ts 10/16/2008 00:00:00 -te 10/16/2008 23:59:60

but this returns a processed log entry.  I would like the
resulting event data to be in exactly the same format as the
original file instead so the ausearch and aureport tools
can be run directly on the resulting data file.  When I try
it with the ausearch data I get weird date results for the
start date.  I would have guessed at -u for unprocessed,
or -r for raw, but I don't see an option like this.  Is there
a way to accomplish this that I am missing?

Thanks in advance,
_____  ______________
\   / /__________   /
  | |  .  ...  .  | |    Ed Christiansen
  | | : ..   .. : | |    Group 93 ISSO/IT Team Lead
  | | .   ...   . | |
  | | : ..   .. : | |    MIT Lincoln Laboratory - Building S
  | |  ..  .  ..  | |    244 Wood St
  | | . ..   .. . | |    Lexington MA  02420-9185
  | | :.  ...  .: | |
  | | . ..  ..  . | |
  | |  .  ...  .  | |
  | |___________  | |
/_____________/ /___\