On Friday 16 October 2009 06:25:42 pm Pittigher, Raymond - CS wrote: > I see that the -w or --word switch was added to the ausearch but how it it > used?
It is used in addition to other matching. If you were to try this search: ausearch --start today -f va it will match any file that has va anywhere in it - for example /var/run would match. But if you change it to this: ausearch --start today -f va -w now, /var/run would no longer match. It would insist on the whole file path to be va. > But I have been trying > > ausearch -w failed and variation of that but only get the message You would just use "ausearch -sv no" to find failed records. Some search options do not do partial matches. The -w option does not take an argument. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
