buffer space

[LC Bruzenak]

On Mon, 2009-08-17 at 13:06 -0400, David Flatley wrote:
> Lenny:
> 
> I was going to move the rotated logs into /home/logs and use "ausearch
> -i -f /home/logs".
> 
> 
> David Flatley CISSP
> 
> 

David,

It won't work like that; exactly the issue I described:

[root at slim root]# mkdir logs-test
[root at slim root]# cd !$
cd logs-test
[root at slim logs-test]# auditctl -m "TEST message"
[root at slim logs-test]# service auditd rotate
Rotating logs:                                             [  OK  ]
[root at slim logs-test]# cp /var/log/audit/audit.log.1 .
[root at slim logs-test]# ausearch -i -f `pwd` -m USER
<no matches>
[root at slim logs-test]# grep TEST audit.log.1
node=slim type=USER msg=audit(1250529052.265:305135): user pid=8191
uid=0 auid=500 ses=4172 subj=user_u:user_r:user_t:s0 msg='TEST message:
exe="/sbin/auditctl" (hostname=?, addr=?, terminal=pts/18 res=success)'


LCB.

-- 
LC (Lenny) Bruzenak
lenny at magitekltd.com