ausearch
Steve Grubb
sgrubb at redhat.com
Sat Oct 17 16:05:49 UTC 2009
On Friday 16 October 2009 06:25:42 pm Pittigher, Raymond - CS wrote:
> I see that the -w or --word switch was added to the ausearch but how it it
> used?
It is used in addition to other matching. If you were to try this search:
ausearch --start today -f va
it will match any file that has va anywhere in it - for example /var/run would
match. But if you change it to this:
ausearch --start today -f va -w
now, /var/run would no longer match. It would insist on the whole file path to
be va.
> But I have been trying
>
> ausearch -w failed and variation of that but only get the message
You would just use "ausearch -sv no" to find failed records. Some search
options do not do partial matches. The -w option does not take an argument.
-Steve
More information about the Linux-audit
mailing list