Re: ausearch checkpoint question
On 09/29/2016 04:34 PM, Burn Alting wrote:
Lenny,
I typically use
TZ=UTC ausearch -i --input-logs \
--checkpoint <somepath>/auditd_checkpoint.txt
but I also set auditd.conf to have 9 x 32MB log files so the checkpoint
code only scans the more recent files.
OK; thanks Burn. I store 20 x 100MB files; I need that many for my purposes.
I'll be testing it again under controlled conditions; seems like what I
need in one instance.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
Attachments:
- smime.p7s (application/pkcs7-signature — 3.7 KB)