buffer space
David Flatley
dflatley at us.ibm.com
Mon Aug 17 17:32:33 UTC 2009
>> Lenny:
>>
>> I was going to move the rotated logs into /home/logs and use "ausearch
>> -i -f /home/logs".
>>
>>
>> David Flatley CISSP
>>
>>
>David,
>
>It won't work like that; exactly the issue I described:
>
>[root at slim root]# mkdir logs-test
>[root at slim root]# cd !$
>cd logs-test
>[root at slim logs-test]# auditctl -m "TEST message"
>[root at slim logs-test]# service auditd rotate
>Rotating logs: [ OK ]
>[root at slim logs-test]# cp /var/log/audit/audit.log.1 .
>[root at slim logs-test]# ausearch -i -f `pwd` -m USER
><no matches>
>[root at slim logs-test]# grep TEST audit.log.1
>node=slim type=USER msg=audit(1250529052.265:305135): user pid=8191
>uid=0 auid=500 ses=4172 subj=user_u:user_r:user_t:s0 msg='TEST message:
>exe="/sbin/auditctl" (hostname=?, addr=?, terminal=pts/18 res=success)'
>
>
>LCB.
UGH this is a wrench in the works...
I was hoping to grab all the rotated logs, process them while still
allowing audit
to run with no interruptions. Problem I run into is I run ausearch -i
> /tmp/file and then
do ausearch -i /nfs/file with auditd stopped, then compare files and if
they are the same in
size then delete the /tmp/file. I do this to make sure I get the log in the
nfs archive directory
and the /tmp is a backup if there is a problem. If audit is running there
is no way the files will
be equal in size while processing the /var/log/audit data in two different
intervals.
Thanks for feedback on this Lenny.
David Flatley CISSP
From: LC Bruzenak <lenny at magitekltd.com>
To: David Flatley/Burlington/IBM at IBMUS
Cc: linux-audit at redhat.com, Steve Grubb <sgrubb at redhat.com>
Date: 08/17/2009 01:16 PM
Subject: Re: buffer space
On Mon, 2009-08-17 at 13:06 -0400, David Flatley wrote:
> Lenny:
>
> I was going to move the rotated logs into /home/logs and use "ausearch
> -i -f /home/logs".
>
>
> David Flatley CISSP
>
>
David,
It won't work like that; exactly the issue I described:
[root at slim root]# mkdir logs-test
[root at slim root]# cd !$
cd logs-test
[root at slim logs-test]# auditctl -m "TEST message"
[root at slim logs-test]# service auditd rotate
Rotating logs: [ OK ]
[root at slim logs-test]# cp /var/log/audit/audit.log.1 .
[root at slim logs-test]# ausearch -i -f `pwd` -m USER
<no matches>
[root at slim logs-test]# grep TEST audit.log.1
node=slim type=USER msg=audit(1250529052.265:305135): user pid=8191
uid=0 auid=500 ses=4172 subj=user_u:user_r:user_t:s0 msg='TEST message:
exe="/sbin/auditctl" (hostname=?, addr=?, terminal=pts/18 res=success)'
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20090817/db712d58/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20090817/db712d58/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20090817/db712d58/attachment-0001.gif>
More information about the Linux-audit
mailing list