From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dean DeFreitas <dean@DeFreitas.net>
Subject: Re: ausearch & aureport fail from cron
Date: Fri, 01 Jun 2012 12:54:18 -0600
Message-ID: <4FC90FDA.60103@DeFreitas.net>
References: <112530930.8418.1338388454285.JavaMail.mail@webmail10>
	<201206010916.15621.sgrubb@redhat.com>
Reply-To: dean@DeFreitas.net
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx15.extmail.prod.ext.phx2.redhat.com
	[10.5.110.20])
	by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id q51IsMfw023310
	for <linux-audit@redhat.com>; Fri, 1 Jun 2012 14:54:23 -0400
Received: from mail1.kci.net (mail1.kci.net [64.187.64.9])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q51IsLpi019048
	for <linux-audit@redhat.com>; Fri, 1 Jun 2012 14:54:22 -0400
Received: from localhost (localhost [127.0.0.1])
	by mail1.kci.net (Postfix) with ESMTP id 333421B6F67
	for <linux-audit@redhat.com>; Fri,  1 Jun 2012 12:54:21 -0600 (MDT)
Received: from mail1.kci.net ([127.0.0.1])
	by localhost (mail1.kci.net [127.0.0.1]) (amavisd-new, port 10024)
	with SMTP id 5Ao17Jib4UXl for <linux-audit@redhat.com>;
	Fri,  1 Jun 2012 12:54:20 -0600 (MDT)
Received: from mail2.kci.net (mail2.kci.net [64.187.64.10])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail1.kci.net (Postfix) with ESMTPS id C34641B6F54
	for <linux-audit@redhat.com>; Fri,  1 Jun 2012 12:54:20 -0600 (MDT)
Received: from localhost (localhost [127.0.0.1])
	by mail2.kci.net (Postfix) with ESMTP id 383574ABC
	for <linux-audit@redhat.com>; Fri,  1 Jun 2012 12:54:20 -0600 (MDT)
Received: from mail2.kci.net ([127.0.0.1])
	by localhost (mail2.kci.net [127.0.0.1]) (amavisd-new, port 10024)
	with SMTP id eqJ7qwKVMoi0 for <linux-audit@redhat.com>;
	Fri,  1 Jun 2012 12:54:19 -0600 (MDT)
In-Reply-To: <201206010916.15621.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Steve,

Thank you for the reply. I appreciate your time. There was some weird
line wrap on my 3 examples, but I did try that in my second example. I
would not have posted for help if I hadn't exhausted all other attempts.

regards,
Dean


/sbin/ausearch -if /var/log/audit/audit.log  -ts 05/29/2012 00:00:00 -te 05/29/2012 23:59:59 > somefile.txt 

/sbin/ausearch --input-logs -ts 05/29/2012 00:00:00 -te 05/29/2012 23:59:59 > somefile.txt 

cat /var/log/audit/audit.log | /sbin/ausearch -ts 05/29/2012 00:00:00 -te 05/29/2012 23:59:59 > somefile.txt



On 06/01/2012 07:16 AM, Steve Grubb wrote:
> On Wednesday, May 30, 2012 10:34:14 AM dean@defreitas.net wrote:
>>  I am using RHEL 5.8 (upgraded from 5.7) and I can not get these reporting
>> tools to work from cron. I have tried many variations to no avail:
>>
>> /sbin/ausearch -if /var/log/audit/audit.log  -ts 05/29/2012 00:00:00 -te
>> 05/29/2012 23:59:59 > somefile.txt /sbin/ausearch --input-logs -ts
>> 05/29/2012 00:00:00 -te 05/29/2012 23:59:59 > somefile.txt cat
>> /var/log/audit/audit.log | /sbin/ausearch -ts 05/29/2012 00:00:00 -te
>> 05/29/2012 23:59:59 > somefile.txt
>>
>> Each of those work from the command line and in a script, but fail when the
>> script is run from cron.
> You need to pass the "--input-logs" command line option to force it to look at 
> the logs instead of stdin.
>
> -Steve
>