CentOS - Oct 2007 - Interpreting audit logs?

Whenever I review audit logs, it is difficult for me to determine if an 
account was logged in at an usual day/time because there is no timestamp 
next to any entry, at least as I interpret the format.   How, then do I 
properly and successfully review the audit log entries based on a 
date/time stamp?

Also, how can I filter out root and sudo account entries, displaying 
everyone else in audit?

Thanks.

Scott

Scott Ehrlich wrote:
> Whenever I review audit logs, it is difficult for me to determine if an
> account was logged in at an usual day/time because there is no timestamp
> next to any entry, at least as I interpret the format.   How, then do I
> properly and successfully review the audit log entries based on a
> date/time stamp?
> 
> Also, how can I filter out root and sudo account entries, displaying
> everyone else in audit?
tail -f /var/log/audit/audit.log | ausearch -i

The above will allow you to see the logs happen in real time and human
readable form.

Do a man of ausearch and autreport for more info.

Thanks,
Johnny Hughes


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20071029/a9497a63/attachment-0004.sig>