* Output of aureport in columns
@ 2012-07-12 20:26 Michael Mather
2012-07-13 13:22 ` Steve Grubb
0 siblings, 1 reply; 5+ messages in thread
From: Michael Mather @ 2012-07-12 20:26 UTC (permalink / raw)
To: linux-audit
Hi,
I have managed to find an easy way to put the output of aureport into
neat columns. For example:
aureport -i -f | sed 's/=====/==== /g' | column -t
However, if I combine this with ausearch, as in:
ausearch -k ROOT |aureport -i -f | sed .....
then some lines come out properly and some have extra data that shifts
everything off. For example, here are two successive lines from the
output. The first has 9 fields and the second 15:
311. 12-07-12 16:21:03 /proc/self/loginuid open yes /usr/bin/sudo mm 597
312. 12-07-12 16:21:03 (null) inode=970 dev=08:01 mode=0100755 ouid=0
ogid=0 rdev=00:00 execve yes /sbin/aureport root 599
What is happening?
Thanks - Michael Mather
-----------------------
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Output of aureport in columns
2012-07-12 20:26 Output of aureport in columns Michael Mather
@ 2012-07-13 13:22 ` Steve Grubb
2012-07-13 13:27 ` Patrick Synor
2012-07-13 17:09 ` Michael Mather
0 siblings, 2 replies; 5+ messages in thread
From: Steve Grubb @ 2012-07-13 13:22 UTC (permalink / raw)
To: linux-audit
On Thursday, July 12, 2012 04:26:25 PM Michael Mather wrote:
> Hi,
>
> I have managed to find an easy way to put the output of aureport into
> neat columns. For example:
>
> aureport -i -f | sed 's/=====/==== /g' | column -t
>
> However, if I combine this with ausearch, as in:
>
> ausearch -k ROOT |aureport -i -f | sed .....
Is this really the ausearch portion or did you omit some parameters for
brevity?
> then some lines come out properly and some have extra data that shifts
> everything off. For example, here are two successive lines from the
> output. The first has 9 fields and the second 15:
>
> 311. 12-07-12 16:21:03 /proc/self/loginuid open yes /usr/bin/sudo mm 597
> 312. 12-07-12 16:21:03 (null) inode=970 dev=08:01 mode=0100755 ouid=0
> ogid=0 rdev=00:00 execve yes /sbin/aureport root 599
>
> What is happening?
Does it behave better if you add --raw to the ausearch portion?
-Steve
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: Output of aureport in columns
2012-07-13 13:22 ` Steve Grubb
@ 2012-07-13 13:27 ` Patrick Synor
2012-07-13 17:09 ` Michael Mather
1 sibling, 0 replies; 5+ messages in thread
From: Patrick Synor @ 2012-07-13 13:27 UTC (permalink / raw)
To: Steve Grubb, linux-audit
Is it possible that the output for these tools is not directed to STDOUT completely? In which case you might have better luck redirecting output with something like 2>&1?
Just a thought...
-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Steve Grubb
Sent: Friday, July 13, 2012 9:23 AM
To: linux-audit@redhat.com
Subject: Re: Output of aureport in columns
On Thursday, July 12, 2012 04:26:25 PM Michael Mather wrote:
> Hi,
>
> I have managed to find an easy way to put the output of aureport into
> neat columns. For example:
>
> aureport -i -f | sed 's/=====/==== /g' | column -t
>
> However, if I combine this with ausearch, as in:
>
> ausearch -k ROOT |aureport -i -f | sed .....
Is this really the ausearch portion or did you omit some parameters for brevity?
> then some lines come out properly and some have extra data that shifts
> everything off. For example, here are two successive lines from the
> output. The first has 9 fields and the second 15:
>
> 311. 12-07-12 16:21:03 /proc/self/loginuid open yes /usr/bin/sudo mm 597
> 312. 12-07-12 16:21:03 (null) inode=970 dev=08:01 mode=0100755 ouid=0
> ogid=0 rdev=00:00 execve yes /sbin/aureport root 599
>
> What is happening?
Does it behave better if you add --raw to the ausearch portion?
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
CONFIDENTIALITY NOTE: This message and any attachments are confidential, may contain information that is privileged and is intended only for the use of the addressee. If you are not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. This message is not meant to constitute an electronic signature or evidence intent to contract electronically.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Output of aureport in columns
2012-07-13 13:22 ` Steve Grubb
2012-07-13 13:27 ` Patrick Synor
@ 2012-07-13 17:09 ` Michael Mather
2012-07-13 17:19 ` Steve Grubb
1 sibling, 1 reply; 5+ messages in thread
From: Michael Mather @ 2012-07-13 17:09 UTC (permalink / raw)
To: linux-audit
Yes, Steve, adding --raw works beautifully. Thanks.
Now, where can I find a tutorial that might have taught me this?
And is there a way to search this list?
Michael Mather
--------------
On Fri, 2012-07-13 at 09:22 -0400, Steve Grubb wrote:
> On Thursday, July 12, 2012 04:26:25 PM Michael Mather wrote:
> > Hi,
> >
> > I have managed to find an easy way to put the output of aureport into
> > neat columns. For example:
> >
> > aureport -i -f | sed 's/=====/==== /g' | column -t
> >
> > However, if I combine this with ausearch, as in:
> >
> > ausearch -k ROOT |aureport -i -f | sed .....
>
> Is this really the ausearch portion or did you omit some parameters for
> brevity?
>
>
> > then some lines come out properly and some have extra data that shifts
> > everything off. For example, here are two successive lines from the
> > output. The first has 9 fields and the second 15:
> >
> > 311. 12-07-12 16:21:03 /proc/self/loginuid open yes /usr/bin/sudo mm 597
> > 312. 12-07-12 16:21:03 (null) inode=970 dev=08:01 mode=0100755 ouid=0
> > ogid=0 rdev=00:00 execve yes /sbin/aureport root 599
> >
> > What is happening?
>
> Does it behave better if you add --raw to the ausearch portion?
>
> -Steve
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Output of aureport in columns
2012-07-13 17:09 ` Michael Mather
@ 2012-07-13 17:19 ` Steve Grubb
0 siblings, 0 replies; 5+ messages in thread
From: Steve Grubb @ 2012-07-13 17:19 UTC (permalink / raw)
To: linux-audit
On Friday, July 13, 2012 01:09:00 PM Michael Mather wrote:
> Yes, Steve, adding --raw works beautifully. Thanks.
>
> Now, where can I find a tutorial that might have taught me this?
There is some discussion of this in the audit.rules man page under the section
NOTES. There was also an article about using the audit system to debug the
whole OS at once. The article gives some examples of stringing together
searches and reports:
http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf
> And is there a way to search this list?
You can use Google and the site operator to restrict the results:
site:www.redhat.com ausearch raw
-Steve
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2012-07-13 17:19 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-07-12 20:26 Output of aureport in columns Michael Mather
2012-07-13 13:22 ` Steve Grubb
2012-07-13 13:27 ` Patrick Synor
2012-07-13 17:09 ` Michael Mather
2012-07-13 17:19 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.