ausearch discrepancies?
Steve Grubb
sgrubb at redhat.com
Fri Jun 5 15:53:26 UTC 2009
On Friday 05 June 2009 11:42:18 am LC Bruzenak wrote:
> On Fri, 2009-06-05 at 11:32 -0400, Steve Grubb wrote:
> > On Thursday 04 June 2009 08:37:17 pm LC Bruzenak wrote:
> > > This shows plenty of events after the 19:11 event shown.
> > > Any ideas?
> >
> > Looks like a problem. FYI, using aureport shows the exact time range
> > selected for the search. (Aureport and ausearch share the same time
> > code.)
>
> Seems like it is operating true to the man page (earlier email).
> No?
> I do not agree with the behavior...but agree it is consisten
Well, I don't think assuming a time of now is the right thing to do for
keywords that mean something in the past. It should be midnight for an ending
time.
-Steve
More information about the Linux-audit
mailing list