Yes please, 2 questions : 1) Is there a way to run aureport on updating auditd logs ? That is, not running aureport on all logs, just updating the last aureport with the recent addition of logs ? 2) Could aureport run on combined auditd logs from more than one computor and produce multiple outputs ?
Thank you To answer the above For 1. use the -checkpoint option of ausearch to generate the events. For 2. assuming you disseminate the source hosts on the aggregating host, again multiple invocations of ausearch will work with the -checkpoint option. Rgds
-- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
