From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Norman Mark St. Laurent" <mstlaurent@conceras.com>
Subject: Re: buffer space
Date: Mon, 17 Aug 2009 14:13:45 -0400
Message-ID: <4A899DD9.40900@conceras.com>
References: <OF353CD1BD.0E9A8BA7-ON85257611.004F634D-85257611.00521D7B@us.ibm.com>	<OF9F4DBAA0.A11B45E7-ON85257615.005F5816-85257615.00605D58@us.ibm.com>	<1250531163.3048.720.camel@homeserver>
	<200908171401.11835.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n7HIE6R7008080
	for <linux-audit@redhat.com>; Mon, 17 Aug 2009 14:14:06 -0400
Received: from p3plsmtpa01-04.prod.phx3.secureserver.net
	(p3plsmtpa01-04.prod.phx3.secureserver.net [72.167.82.84])
	by mx1.redhat.com (8.13.8/8.13.8) with SMTP id n7HIDlvq003005
	for <linux-audit@redhat.com>; Mon, 17 Aug 2009 14:13:49 -0400
In-Reply-To: <200908171401.11835.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

cat --> zcat  for the gzip files...  THANKS Steve...  Very Nice....

Norman Mark St. Laurent
Conceras | Chief Technology Officer and ISSE
Phone:  703-965-4892
Email:  mstlaurent@conceras.com
Web:  http://www.conceras.com

Connect. Collaborate. Conceras.



Steve Grubb wrote:
> On Monday 17 August 2009 01:46:03 pm LC Bruzenak wrote:
>   
>>>   UGH this is a wrench in the works...
>>>   I was hoping to grab all the rotated logs, process them while still
>>> allowing audit
>>> to run with no interruptions. Problem I run into is I run ausearch -i
>>>
>>>       
>>>> /tmp/file and then
>>>>         
>>> do ausearch -i /nfs/file with auditd stopped, then compare files and
>>> if they are the same in
>>> size then delete the /tmp/file. I do this to make sure I get the log
>>> in the nfs archive directory
>>> and the /tmp is a backup if there is a problem. If audit is running
>>> there is no way the files will
>>> be equal in size while processing the /var/log/audit data in two
>>> different intervals.
>>>       
>> It's a problem for me too.
>> I was thinking about just patching the ausearch code to behave as
>> desired...but hoping Steve beat me to it so there was a greatly reduced
>> chance of bad code...
>>     
>
> #cat `ls /var/log/audit/a* | sort -r` | ausearch -i
> #cat `ls /var/log/audit/a* | sort -r` | aureport
>
> cat can open more than one file at a time,
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>