buffer space

David Flatley dflatley at us.ibm.com
Mon Aug 17 21:18:02 UTC 2009 

On Mon, 2009-08-17 at 12:15 -0500, LC Bruzenak wrote:
> On Mon, 2009-08-17 at 13:06 -0400, David Flatley wrote:
> > Lenny:
> >
> > I was going to move the rotated logs into /home/logs and use "ausearch
> > -i -f /home/logs".
> >
> >
> > David Flatley CISSP
> >
> >
>
> David,
>
> It won't work like that; exactly the issue I described:
>
> [root at slim root]# mkdir logs-test
> [root at slim root]# cd !$
> cd logs-test
> [root at slim logs-test]# auditctl -m "TEST message"
> [root at slim logs-test]# service auditd rotate
> Rotating logs:                                             [  OK  ]
> [root at slim logs-test]# cp /var/log/audit/audit.log.1 .
> [root at slim logs-test]# ausearch -i -f `pwd` -m USER
> <no matches>
> [root at slim logs-test]# grep TEST audit.log.1
> node=slim type=USER msg=audit(1250529052.265:305135): user pid=8191
> uid=0 auid=500 ses=4172 subj=user_u:user_r:user_t:s0 msg='TEST message:
> exe="/sbin/auditctl" (hostname=?, addr=?, terminal=pts/18 res=success)'
>
>
> LCB.
>

David,

I should have been more diligent. The input switch was supposed to be
"-if" IIUC. The "-f" switch is looking for a filename inside the record.

[root at slim logs-test]# ausearch -i -if `pwd` -m USER
<no matches>

[root at slim logs-test]# ausearch -i -if `pwd`/audit.log.1  -m USER
...
----
node=slim type=USER msg=audit(08/17/2009 12:10:52.265:305135) : user
pid=8191 uid=root auid=lcb ses=4172 subj=user_u:user_r:user_t:s0
msg='TEST message: exe=/sbin/auditctl (hostname=?, addr=?,
terminal=pts/18 res=success)'
...

This is what you want to do right - search inside a directory other
than /var/log/audit with multiple audit logs inside the directory?

LCB.

   Yes but not search for anything specific. Actually all I want to do is
convert the
logs from kernel text to regular notation (ausearch -i) to start with. I
like Steve's
idea of doing "service auditd rotate", then moving all the rotated logs to
another
directory to run the "ausearch -i" on the logs. This way auditd can keep
running and
processing the logs does not effect auditd. So what you did is pretty much
what I want
to do with the -if instead of just the -f.
  Thanks Lenny!


David Flatley CISSP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20090817/937e5492/attachment.htm>

More information about the Linux-audit mailing list