Re: Output of aureport in columns
On Thursday, July 12, 2012 04:26:25 PM Michael Mather wrote:
Hi,
I have managed to find an easy way to put the output of aureport into
neat columns. For example:
aureport -i -f | sed 's/=====/==== /g' | column -t
However, if I combine this with ausearch, as in:
ausearch -k ROOT |aureport -i -f | sed .....
Is this really the ausearch portion or did you omit some parameters for
brevity?
then some lines come out properly and some have extra data that
shifts
everything off. For example, here are two successive lines from the
output. The first has 9 fields and the second 15:
311. 12-07-12 16:21:03 /proc/self/loginuid open yes /usr/bin/sudo mm 597
312. 12-07-12 16:21:03 (null) inode=970 dev=08:01 mode=0100755 ouid=0
ogid=0 rdev=00:00 execve yes /sbin/aureport root 599
What is happening?
Does it behave better if you add --raw to the ausearch portion?
-Steve