Whenever I review audit logs, it is difficult for me to determine if an account was logged in at an usual day/time because there is no timestamp next to any entry, at least as I interpret the format. How, then do I properly and successfully review the audit log entries based on a date/time stamp?
Also, how can I filter out root and sudo account entries, displaying everyone else in audit?
Thanks.
Scott
Scott Ehrlich wrote:
Whenever I review audit logs, it is difficult for me to determine if an account was logged in at an usual day/time because there is no timestamp next to any entry, at least as I interpret the format. How, then do I properly and successfully review the audit log entries based on a date/time stamp?
Also, how can I filter out root and sudo account entries, displaying everyone else in audit?
tail -f /var/log/audit/audit.log | ausearch -i
The above will allow you to see the logs happen in real time and human readable form.
Do a man of ausearch and autreport for more info.
Thanks, Johnny Hughes
-
Johnny Hughes -
Scott Ehrlich