ausearch

ausearch

[Pittigher, Raymond - CS]

I see that the -w or --word switch was added to the ausearch but how it it used? The man pages claim:

String  based  matches  must match the whole word.

But I have been trying

ausearch -w failed and variation of that but only get the message

ausearch -if audit.log.3 -w failed
failed is an unsupported option



This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.

Re: ausearch

[Steve Grubb]

On Friday 16 October 2009 06:25:42 pm Pittigher, Raymond - CS wrote:
> I see that the -w or --word switch was added to the ausearch but how it it
>  used?

It is used in addition to other matching. If you were to try this search:

ausearch --start today -f va

it will match any file that has va anywhere in it - for example /var/run would 
match. But if you change it to this:

ausearch --start today  -f va   -w

now, /var/run would no longer match. It would insist on the whole file path to 
be va.


> But I have been trying
> 
> ausearch -w failed and variation of that but only get the message

You would just use  "ausearch -sv no" to find failed records. Some search 
options do not do partial matches. The -w option does not take an argument.
 
-Steve

ausearch

[David Flatley]

    I want to have ausearch search for a specific devname. Any suggestions?
Thanks.


David Flatley
"To err is human. To really screw up requires the root password." -UNKNOWN

Re: ausearch

[Steve Grubb]

On Thursday, May 16, 2013 08:52:20 AM David Flatley wrote:
> I want to have ausearch search for a specific devname. Any suggestions?

In terms of devices, ausearch as it is now can only search for terminal names. 
No one has ever asked for search for a device, so its never been added. And 
generally what is searchable in ausearch also winds up as a report type in 
aureport.

So, what would be the use case for this?

-Steve

ausearch

[David Flatley]

    When running "ausearch -i", does this read both
the /var/log/audit/audit.log and the rotated log files in the same
directory? Thanks.


David Flatley
"To err is human. To really screw up requires the root password." -UNKNOWN

Re: ausearch

[LC Bruzenak]

On 01/03/2014 07:58 AM, David Flatley wrote:
>     When running "ausearch -i", does this read both
> the /var/log/audit/audit.log and the rotated log files in the same
> directory? Thanks.
It does, unless you specify the "-if <FILE>" option.
Remember: if called from a cron script, use the "--input-logs" option.

LCB

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com