On Mon, 2009-08-17 at 13:06 -0400, David Flatley wrote: > Lenny: > > I was going to move the rotated logs into /home/logs and use "ausearch > -i -f /home/logs". > > > David Flatley CISSP > >
David, It won't work like that; exactly the issue I described: [r...@slim root]# mkdir logs-test [r...@slim root]# cd !$ cd logs-test [r...@slim logs-test]# auditctl -m "TEST message" [r...@slim logs-test]# service auditd rotate Rotating logs: [ OK ] [r...@slim logs-test]# cp /var/log/audit/audit.log.1 . [r...@slim logs-test]# ausearch -i -f `pwd` -m USER <no matches> [r...@slim logs-test]# grep TEST audit.log.1 node=slim type=USER msg=audit(1250529052.265:305135): user pid=8191 uid=0 auid=500 ses=4172 subj=user_u:user_r:user_t:s0 msg='TEST message: exe="/sbin/auditctl" (hostname=?, addr=?, terminal=pts/18 res=success)' LCB. -- LC (Lenny) Bruzenak [email protected] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
