aureport question
Steve Grubb
sgrubb at redhat.com
Wed Dec 23 14:34:21 UTC 2009
On Sunday 20 December 2009 04:10:29 pm LC Bruzenak wrote:
> The aureport utility has an option to use an alternative input file.
Right. This is to override the directory setting that it gets from
auditd.conf.
> Because I have to move my logs, I really need an alternative input
> directory, preferably a starting point, since my saved logs are:
> /var/log/audit-archive/<YEAR>/<MONTH>/<DAY> .
> Then I could do "aureport --topdir /var/log/audit-archive/2009/12 "
> and get all the 12/2009 events up to now.
>
> What do you think?
This trick doesn't work any more?
https://www.redhat.com/archives/linux-audit/2009-August/msg00031.html
You could do
cat `ls /var/log/audit-archive/<YEAR>/<MONTH>/<DAY>/a* | sort -r` | aureport
and it should work.
> I thought about creating a different flat directory and just linking
> the files I want, however I do not think the current options will
> allow this either. I guess that would be the easiest change though, to
> allow the -if parameter to be a directory or a file.
I suppose that could be done. But whatever we do in aureport, we need to do to
ausearch since they share a lot of code and design.
-Steve
More information about the Linux-audit
mailing list