[CentOS] Interpreting audit logs?

Mon Oct 29 09:48:44 UTC 2007
Johnny Hughes <johnny at centos.org>

Scott Ehrlich wrote:
> Whenever I review audit logs, it is difficult for me to determine if an
> account was logged in at an usual day/time because there is no timestamp
> next to any entry, at least as I interpret the format.   How, then do I
> properly and successfully review the audit log entries based on a
> date/time stamp?
> 
> Also, how can I filter out root and sudo account entries, displaying
> everyone else in audit?

tail -f /var/log/audit/audit.log | ausearch -i

The above will allow you to see the logs happen in real time and human
readable form.

Do a man of ausearch and autreport for more info.

Thanks,
Johnny Hughes


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20071029/a9497a63/attachment-0004.sig>