I was wondering what a "-ts now" would return from my audit data. I thought maybe it would be similar to a "tail" of the data, but that's not what I got.
Is this what you'd expect?: [EMAIL PROTECTED] ~]# date ; ausearch -i -ts now --just-one Thu May 1 14:05:10 EDT 2008 ---- type=DAEMON_START msg=audit(05/01/2008 09:14:40.029:3602) : auditd start, ver=1.7.2 format=raw kernel=2.6.25-1.fc9.x86_64 auid=unset pid=2003 res=success Most of the relevant data is in the record, however: [EMAIL PROTECTED] ~]# uname -a Linux hugo 2.6.25-1.fc9.x86_64 #1 SMP Thu Apr 17 01:11:31 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux [EMAIL PROTECTED] ~]# rpm -qa | grep audit audit-libs-1.7.2-6.fc9.i386 audit-1.7.2-6.fc9.x86_64 audit-libs-python-1.7.2-6.fc9.x86_64 audit-libs-devel-1.7.2-6.fc9.x86_64 audit-libs-devel-1.7.2-6.fc9.i386 audit-libs-1.7.2-6.fc9.x86_64 Thx, LCB. -- LC (Lenny) Bruzenak [EMAIL PROTECTED] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
