filtering out audit output
by Levy, Mark (IT Solutions)
Hi, I'm trying to find a way to filter out some of the excess output from netiq which does a df every 10 seconds. I haven't had any success yet and was hoping someone could point me the right direction. Below is the output that I would like to filter out.
node=newman.netiq.northgrum.com type=CWD msg=audit(02/01/2011 01:26:09.976:336030) : cwd=/usr/netiq/vsau/bin
node=newman.netiq.northgrum.com type=EXECVE msg=audit(02/01/2011 01:26:09.976:336030) : argc=(null) a0=/bin/df a1=-kP a2=../local/spool
node=newman.netiq.northgrum.com type=SYSCALL msg=audit(02/01/2011 01:26:09.976:336030) : arch=x86_64 syscall=execve per=400000 success=yes exit=0 a0=7fffe76acc58 a1=7fffe76aa
af8 a2=603c90 a3=0 items=2 ppid=3465 pid=9347 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4294967295 comm=df exe
=/bin/df key=(null)
----
node=newman.netiq.northgrum.com type=PATH msg=audit(02/01/2011 01:26:20.019:336035) : item=1 name=(null) inode=2420400 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00
node=newman.netiq.northgrum.com type=PATH msg=audit(02/01/2011 01:26:20.019:336035) : item=0 name=/bin/df inode=2812595 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00
node=newman.netiq.northgrum.com type=CWD msg=audit(02/01/2011 01:26:20.019:336035) : cwd=/usr/netiq/vsau/bin
node=newman.netiq.northgrum.com type=EXECVE msg=audit(02/01/2011 01:26:20.019:336035) : argc=(null) a0=/bin/df a1=-kP a2=../local/spool
node=newman.netiq.northgrum.com type=SYSCALL msg=audit(02/01/2011 01:26:20.019:336035) : arch=x86_64 syscall=execve per=400000 success=yes exit=0 a0=7fff691c1c58 a1=7fff691bf
b68 a2=603c90 a3=0 items=2 ppid=3465 pid=9355 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4294967295 comm=df exe
=/bin/df key=(null)
----
node=newman.netiq.northgrum.com type=PATH msg=audit(02/01/2011 01:26:30.055:336036) : item=1 name=(null) inode=2420400 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00
node=newman.netiq.northgrum.com type=PATH msg=audit(02/01/2011 01:26:30.055:336036) : item=0 name=/bin/df inode=2812595 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00
node=newman.netiq.northgrum.com type=CWD msg=audit(02/01/2011 01:26:30.055:336036) : cwd=/usr/netiq/vsau/bin
node=newman.netiq.northgrum.com type=EXECVE msg=audit(02/01/2011 01:26:30.055:336036) : argc=(null) a0=/bin/df a1=-kP a2=../local/spool
node=newman.netiq.northgrum.com type=SYSCALL msg=audit(02/01/2011 01:26:30.055:336036) : arch=x86_64 syscall=execve per=400000 success=yes exit=0 a0=7fffc4b4ec58 a1=7fffc4b4e
378 a2=603c90 a3=0 items=2 ppid=3465 pid=9356 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4294967295 comm=df exe
=/bin/df key=(null)
----
node=newman.netiq.northgrum.com type=PATH msg=audit(02/01/2011 01:26:40.092:336051) : item=1 name=(null) inode=2420400 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00
node=newman.netiq.northgrum.com type=PATH msg=audit(02/01/2011 01:26:40.092:336051) : item=0 name=/bin/df inode=2812595 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00
node=newman.netiq.northgrum.com type=CWD msg=audit(02/01/2011 01:26:40.092:336051) : cwd=/usr/netiq/vsau/bin
node=newman.netiq.northgrum.com type=EXECVE msg=audit(02/01/2011 01:26:40.092:336051) : argc=(null) a0=/bin/df a1=-kP a2=../local/spool
node=newman.netiq.northgrum.com type=SYSCALL msg=audit(02/01/2011 01:26:40.092:336051) : arch=x86_64 syscall=execve per=400000 success=yes exit=0 a0=7fff2b0d4c58 a1=7fff2b0d2
af8 a2=603c90 a3=0 items=2 ppid=3465 pid=9372 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4294967295 comm=df exe
=/bin/df key=(null)
Thanks for any help
Mark
13 years, 10 months
- 2
- 1