Archiving audits daily
Ed Christiansen
edwardc at ll.mit.edu
Sat Oct 18 14:58:19 UTC 2008
Greetings,
I have a requirement to archive audits daily. I can use the
audit tools to get all the records for a single day:
ausearch -ts 10/16/2008 00:00:00 -te 10/16/2008 23:59:60
but this returns a processed log entry. I would like the
resulting event data to be in exactly the same format as the
original file instead so the ausearch and aureport tools
can be run directly on the resulting data file. When I try
it with the ausearch data I get weird date results for the
start date. I would have guessed at -u for unprocessed,
or -r for raw, but I don't see an option like this. Is there
a way to accomplish this that I am missing?
Thanks in advance,
_____ ______________
\ / /__________ /
| | . ... . | | Ed Christiansen
| | : .. .. : | | Group 93 ISSO/IT Team Lead
| | . ... . | |
| | : .. .. : | | MIT Lincoln Laboratory - Building S
| | .. . .. | | 244 Wood St
| | . .. .. . | | Lexington MA 02420-9185
| | :. ... .: | |
| | . .. .. . | |
| | . ... . | |
| |___________ | |
/_____________/ /___\
More information about the Linux-audit
mailing list