[linux-audit/audit-userspace] Aureport on stream of data (Issue #324)
Burn Alting
burn.alting at iinet.net.au
Thu Oct 12 10:43:37 UTC 2023
Yes please, 2 questions :
1) Is there a way to run aureport on updating auditd logs ? That is, not
running aureport on all logs, just updating the last aureport with the
recent addition of logs ?
2) Could aureport run on combined auditd logs from more than one computor
and produce multiple outputs ?
Thank you
To answer the above
For 1. use the -checkpoint option of ausearch to generate the events.
For 2. assuming you disseminate the source hosts on the aggregating host, again
multiple invocations of ausearch will work with the -checkpoint option.
Rgds
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20231012/febcbb4b/attachment.htm>
More information about the Linux-audit
mailing list