Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 376
Hide thumbs
Also See for LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009:
- Administration manual (338 pages) ,
- Deployment manual (246 pages) ,
- Application manual (364 pages)
Table of Contents
Advertisement
audit/audit.log. Not all record types contain the same search phrases. There are
no hostname or uid entries in a PATH record, for example. When searching, make
sure that you choose appropriate search criteria to catch all records you need. On the
other hand, you could be searching for a specific type of record and still get various
other related records along with it. This is caused by different parts of the kernel con-
tributing additional records for events that are related to the one to find. For example,
you would always get a PATH record along with the SYSCALL record for an open
system call.
TIP: Using Multiple Search Options
Any of the command line options can be combined with logical AND operators
to narrow down your search.
Read Audit Logs from Another File
When the audit logs have moved to another machine or when you want to analyze
the logs of a number of machines on your local machine without wanting to connect
to each of these individually, move the logs to a local file and have ausearch search
them locally:
Convert Numeric Results into Text
Some information, such as user IDs are printed in numeric form. To convert these
into human readable text format, add the -i option to your ausearch command.
Search by Audit Event ID
If you have previously run an audit report or done an autrace, you might want to
analyze the trail of a particular event in the log. Most of the report types described
in
include audit event IDs in their output. An audit event ID is the second part of an
audit message ID, which consists of a UNIX epoch time stamp and the audit event
ID separated by a colon. All events that are logged from one application's system
call have the same event ID. Use this event ID with ausearch to retrieve this event's
trail from the log.
The autrace tool asks you to review the complete trail of the command traced in
the logs using ausearch. autrace provides you with the complete ausearch command
including the audit event ID.
364
Security Guide
ausearch -option -if myfile
Section 30.5, "Understanding the Audit Logs and Generating Reports"
(page 351)
Advertisement
Table of Contents
Related Manuals for Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009
Related Products for Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009
- NOVELL EDIRECTORY 8.8 SP2 - GUIDE 10-2007
- NOVELL EDIRECTORY 8.8 SP5 - GUIDE 12-2009
- NOVELL IDENTITY MANAGER 3.6.1 - WORKORDER DRIVER IMPLEMENTATION GUIDE 18-12-2009
- NOVELL LINUX ENTERPRISE 11 - SUBSCRIPTION MANAGEMENT TOOL GUIDE 10-02-2009
- NOVELL OPEN ENTERPRISE SERVER - CONVERSION GUIDE 12-2010
- NOVELL OPEN ENTERPRISE SERVER 2 SP2 - PLANING AND IMPLEMENTATION GUIDE 11-10-2009
- NOVELL PLATESPIN ORCHESTRATE 2.0.2 - UPGARDE GUIDE 10-09-2009
- NOVELL PLATESPIN ORCHESTRATE 2.0.2 - VIRTUAL MACHINE MANAGEMENT GUIDE 10-17-2009
- NOVELL PRODUCT NAME 10.3 - DEPLOYING ZENWORKS ON CITRIX SERVER BEST PRACTICES GUIDE 12-13-2010
- NOVELL SERVER CONSOLIDATION MIGRATION TOOLKIT 1.1 - ADMINISTRATION GUIDE 12-23-2005
- NOVELL ZENWORKS APPLICATION VIRTUALIZATION 8.0.2 - INTEGRATION AND STREAMING GUIDE 11-2010
- NOVELL ACCESS MANAGER 3.1 SP1 - SSL VPN SERVER GUIDE 03-17-2010
- NOVELL CUSTOMER CENTER 2.3 - GUIDE 4-8-2009
- NOVELL IFOLDER 3.X - SECURITY ADMINISTRATOR GUIDE 08-15-2006
- NOVELL LINUX ENTERPRISE SERVER 10 - START-UP GUIDE 06-12-2006
- NOVELL LINUX ENTERPRISE SERVER 10 SP2 - STORAGE ADMINISTRATION GUIDE 05-15-2009