Hi I set a cron job script to perform ausearch every 5 minutes on a central log server. The logs from various hosts are received together in the same file The logs are rotated on a daily basis Everything ran fine for several days, then suddently I got : Corrupted checkpoint file. Inode match, but newer complete event (1582684501.003:48035) found before loaded checkpoint 1582684346.999:48034 The events are : checkpoint audit.log.3: node=xxxxxxxx type=USER_END msg=audit(1582684346.999:48034): pid=15666 uid=0 auid=0 newer event audit.log.2: node= xxxxxxxx type=USER_ACCT msg=audit(1582684501.003:48035): pid=16000 I guess the problem is due to the log rotation since the two messages are coming from the same host. I have a few questions When it happens how can I restart the process ? Is there a way to restart ausearch from the newer event ? How could I extract the events between the checkpoint and the newer event ? The checkpoint file contains : dev=0xFD03 inode=1048581 output=xxxxxxxx 1582770601.342:380885 0x456
What is this : 0x456 ? How can I find the value for a given event ? Philippe Worldline and equensWorldline are a registered trademarks and trading names owned by Worldline Group. This e-mail and the documents attached are confidential and intended solely for the addressee. If you receive this e-mail in error, you are not authorized to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. EquensWorldline and the Worldline Group therefore can accept no liability for any errors or their content. Although equensWorldline and the Worldline Group endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with equensWorldline and the Worldline Group by email
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
