On Tue, 30 Jan 2007 12:06:06 EST, Joshua Brindle said:
This is fairly off topic here (selinux list) but I agree with Karl. As a
recovering admin I think I can say that admins expect to be able to use
various unix utilities to inspect log files, particularly tail -f.
As a counter-example - lastcomm and last.
If you want to use tail -f, don't run auditd, and use syslog-ng(*) or similar
to send the msgs you're interested in to a file that you can tail -f.
Or you *can* tail -f the file, just be ready to deal with the fact that it
contains binary data, same as the process accounting file and the last-login
file.
(*) syslog-ng can route to logfiles based on a regexp, so you don't have to
send all kernel output to the same file...