[CentOS] Interpreting audit logs?
johnny at centos.org
Mon Oct 29 09:48:44 UTC 2007
Scott Ehrlich wrote:
> Whenever I review audit logs, it is difficult for me to determine if an
> account was logged in at an usual day/time because there is no timestamp
> next to any entry, at least as I interpret the format. How, then do I
> properly and successfully review the audit log entries based on a
> date/time stamp?
> Also, how can I filter out root and sudo account entries, displaying
> everyone else in audit?
tail -f /var/log/audit/audit.log | ausearch -i
The above will allow you to see the logs happen in real time and human
Do a man of ausearch and autreport for more info.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 252 bytes
Desc: OpenPGP digital signature
More information about the CentOS