How to read audit log?
Steve Grubb
sgrubb at redhat.com
Tue Sep 25 17:02:46 UTC 2007
On Tuesday 25 September 2007 12:43:52 James Antill wrote:
> > Yes. It would let you write an app that is more efficient than using perl
> > on ausearch output.
>
> That's not really true,
Sure it is. perl cannot do the interpretations. So you'd have to spend time
writing all that code and maintain it or use ausearch to provide you that
functionality.
> and when it is true it's only because ausearch is so slow at doing "cat":
It does a lot more than "cat". For example, it understands the ordering
requirements of the logs and searches them in the correct order. It also
assembles the records into an event before presenting them. It interprets
some of the data so that its more usable even if you don't ask for a full
interpretation.
-Steve
More information about the Linux-audit
mailing list