audisp resend question
Steve Grubb
sgrubb at redhat.com
Thu Dec 4 18:45:45 UTC 2008
On Thursday 04 December 2008 12:52:54 LC Bruzenak wrote:
> > All audisp plugins take their data from stdin. You can pipe the raw
> > output of ausearch into audisp-remote and it should do the right thing.
>
> OK, works for me...the last sent message on the collector is
> identifiable, but do timestamps (with full precision) work as input to
> the "-ts" switch?
Not at this point. Ausearch always shows the converted time unless you do a --
raw.
> I don't know how to remove duplicates (probably not be an issue anyway).
Aureport is about the only thing that cares. Also, a duplicate
boot/login/logout will also affect aulast.
-Steve
More information about the Linux-audit
mailing list