If I centralize audit logging through rsyslog, and I have each of the remote machines’ /etc/rsyslog.conf to use the same generic audit.log file name instead of customizing the audit logs with something like; HOSTNAME-audit.log, because ausearch apparently only looks for a file specifically of the format audit.log…

 

Will the log-data submitted from the various hosts be consolidated into a single file?  Will the ausearch command then be usable with the –if argument?

 

 

 

 

 

Warron French, MBA, SCSA