Phillippe,
>From man ausearch .. -ts, --start [start-date] [start-time]
>Search
for events with time stamps equal to or after the given start time. The format
of
start time depends on your locale. You can check the format of your locale by
running date '+%x'. If the date is omitted, today is
assumed.
If the time is omitted, midnight is assumed. Use 24 hour clock time
rather
than AM or PM to specify time. An example date using the en_US.utf8 locale
is 09/03/2009. An example of time is 18:00:00. The date format
accepted
is influenced by the LC_TIME environmental variable.
You may also use the word: now, recent, boot, today, yesterday,
this-
week, week-ago, this-month, this-year, or checkpoint. Boot means the time of
day to
the second when the system last booted.
Today means starting at 1 second after midnight. Recent is 10
minutes ago. Yesterday is 1 second after midnight the previous day. This-week
means
starting 1 second after midnight on day 0 of the week determined by
your locale (see localtime). Week-ago means starting 1 second after midnight
exactly
7 days ago. This-month means 1 second after midnight on day 1 of the month.
This-
year means the 1 second after midnight on the first day of the
first
month.
checkpoint means ausearch will use the timestamp found within
a
valid checkpoint file ignoring the recorded inode, device, serial, node and
event
type also found within a checkpoint file. Essenā tially, this is
the
recovery action should an invocation of ausearch with a checkpoint option fail
with
an exit status of 10, 11 or 12. It could be used in a shell script something
like:
ausearch --checkpoint /etc/audit/auditd_checkpoint.txt
-i _au_status=$? if test ${_au_status} eq
10 -o
${_au_status} eq 11 -o ${_au_status} eq
12 then ausearch --checkpoint
/etc/audit/auditd_checkpoint.txt --start checkpoint -i fi
That said, rather than sending events from multiple hosts to a single combined
file,
I would strongly recommend one maintain multiple files, one per host. The most
recent change to the ausearch checkpoint code addressed this. Sogiven a
directory
structure like say, repository/ repository/year/ repository/year/month
repository/year/month/day repository/year/month/day/hosta/auditd.log
repository/year/month/day/hostb/auditd.log
repository/year/month/day/hostc/auditd.log ...
repository/year/month/day/hostN/auditd.log
one could orchestrate a script that run's multiple ausearch commands along the
lines
of ausearch -if repository/year/month/day/hosta/auditd.log --checkpoint
.../hosta.chkpt ... ausearch -if
repository/year/month/day/hostb/auditd.log --checkpoint .../hostb.chkpt ...
etc
On Fri, 2020-02-28 at 10:46 +0000, MAUPERTUIS, PHILIPPE wrote:
> Hi
> I set a cron job script to perform ausearch every 5 minutes on a central log
> server.
> The logs from various hosts are received together in the same file
> The logs are rotated on a daily basis
> Everything ran fine for several days, then suddently I got :
> Corrupted checkpoint file. Inode match, but newer complete event
> (1582684501.003:48035) found before loaded checkpoint 1582684346.999:48034
> The events are :
> checkpoint
> audit.log.3: node=xxxxxxxx type=USER_END msg=audit(1582684346.999:48034):
> pid=15666 uid=0 auid=0
> newer event
> audit.log.2: node= xxxxxxxx type=USER_ACCT msg=audit(1582684501.003:48035):
> pid=16000
> I guess the problem is due to the log rotation since the two messages are
> coming
> from the same host.
> I have a few questions
> When it happens how can I restart the process ?
> Is there a way to restart ausearch from the newer event ?
> How could I extract the events between the checkpoint and the newer event ?
> The checkpoint file contains :
> dev=0xFD03
> inode=1048581
> output=xxxxxxxx 1582770601.342:380885 0x456
>
> What is this : 0x456 ?
> How can I find the value for a given event ?
>
> Philippe
>
>
>
> Worldline and equensWorldline are a registered trademarks and trading names
> owned
> by Worldline Group.
>
> This e-mail and the documents attached are confidential and intended solely
> for
> the addressee. If you receive this e-mail in error, you are not authorized to
> copy, disclose, use or retain it. Please notify the sender immediately and
> delete
> this email from your
> systems. As emails may be intercepted, amended or lost, they are not secure.
> EquensWorldline and the Worldline Group therefore can accept no liability for
> any
> errors or their content. Although equensWorldline and the Worldline Group
> endeavours to maintain
> a virus-free network, we do not warrant that this transmission is virus-free
> and
> can accept no liability for any damages resulting from any virus transmitted.
> The
> risks are deemed to be accepted by everyone who communicates with
> equensWorldline
> and the Worldline
> Group by email
>
>
>
>
>
> --Linux-audit mailing [email protected]
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
