Scott Ehrlich wrote: > Whenever I review audit logs, it is difficult for me to determine if an > account was logged in at an usual day/time because there is no timestamp > next to any entry, at least as I interpret the format. How, then do I > properly and successfully review the audit log entries based on a > date/time stamp? > > Also, how can I filter out root and sudo account entries, displaying > everyone else in audit? tail -f /var/log/audit/audit.log | ausearch -i The above will allow you to see the logs happen in real time and human readable form. Do a man of ausearch and autreport for more info. Thanks, Johnny Hughes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20071029/a9497a63/attachment-0005.sig>