ausearch question
LC Bruzenak
lenny at magitekltd.com
Thu May 1 18:11:19 UTC 2008
I was wondering what a "-ts now" would return from my audit data.
I thought maybe it would be similar to a "tail" of the data, but that's
not what I got.
Is this what you'd expect?:
[root at hugo ~]# date ; ausearch -i -ts now --just-one
Thu May 1 14:05:10 EDT 2008
----
type=DAEMON_START msg=audit(05/01/2008 09:14:40.029:3602) : auditd
start, ver=1.7.2 format=raw kernel=2.6.25-1.fc9.x86_64 auid=unset
pid=2003 res=success
Most of the relevant data is in the record, however:
[root at hugo ~]# uname -a
Linux hugo 2.6.25-1.fc9.x86_64 #1 SMP Thu Apr 17 01:11:31 EDT 2008
x86_64 x86_64 x86_64 GNU/Linux
[root at hugo ~]# rpm -qa | grep audit
audit-libs-1.7.2-6.fc9.i386
audit-1.7.2-6.fc9.x86_64
audit-libs-python-1.7.2-6.fc9.x86_64
audit-libs-devel-1.7.2-6.fc9.x86_64
audit-libs-devel-1.7.2-6.fc9.i386
audit-libs-1.7.2-6.fc9.x86_64
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list