On an audit collector machine, I (obviously) have data from different
hosts.
In an ausearch I would like to look for events from multiple hosts.
Ideally I would have multiple "-n <HOSTNAME>" entries which would return
events for any of the hosts.
The man page says that the options form an "and" statement. I find this
isn't the case with multiple hosts specified, but the result is the
"last host listed wins":
[r...@audit audit]# ausearch -i -n client3 -n client12 | grep client3 |
wc
0 0 0
[r...@audit audit]# ausearch -i -n client12 -n client3 | grep client3 |
wc
2035 35292 529086
[r...@audit audit]# ausearch -i -n client12 -n client3 | grep client12 |
wc
0 0 0
[r...@audit audit]# ausearch -i -n client3 -n client12 | grep client12
| wc
1709 29481 445211
I may patch my own ausearch to behave differently. I could just extract
them independently, however then I'd need to weave them back together
because I need the events to be sequential.
LCB.
--
LC (Lenny) Bruzenak
[email protected]
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
