Re: corrupted checkpoint

Phillippe, for events with time stamps equal to or after the given start time. The format of start time depends on your locale. You can check the format of your locale by running date '+%x'. If the date is omitted, today is assumed. If the time is omitted, midnight is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date using the en_US.utf8 locale is 09/03/2009. An example of time is 18:00:00. The date format accepted is influenced by the LC_TIME environmental variable. You may also use the word: now, recent, boot, today, yesterday, this- week, week-ago, this-month, this-year, or checkpoint. Boot means the time of day to the second when the system last booted. Today means starting at 1 second after midnight. Recent is 10 minutes ago. Yesterday is 1 second after midnight the previous day. This-week means starting 1 second after midnight on day 0 of the week determined by your locale (see localtime). Week-ago means starting 1 second after midnight exactly 7 days ago. This-month means 1 second after midnight on day 1 of the month. This- year means the 1 second after midnight on the first day of the first month. checkpoint means ausearch will use the timestamp found within a valid checkpoint file ignoring the recorded inode, device, serial, node and event type also found within a checkpoint file. Essen‐ tially, this is the recovery action should an invocation of ausearch with a checkpoint option fail with an exit status of 10, 11 or 12. It could be used in a shell script something like: ausearch --checkpoint /etc/audit/auditd_checkpoint.txt -i _au_status=$? if test ${_au_status} eq 10 -o ${_au_status} eq 11 -o ${_au_status} eq 12 then ausearch --checkpoint /etc/audit/auditd_checkpoint.txt --start checkpoint -i fi That said, rather than sending events from multiple hosts to a single combined file, I would strongly recommend one maintain multiple files, one per host. The most recent change to the ausearch checkpoint code addressed this. Sogiven a directory structure like say, repository/ repository/year/ repository/year/month repository/year/month/day repository/year/month/day/hosta/auditd.log repository/year/month/day/hostb/auditd.log repository/year/month/day/hostc/auditd.log ... repository/year/month/day/hostN/auditd.log one could orchestrate a script that run's multiple ausearch commands along the lines of ausearch -if repository/year/month/day/hosta/auditd.log --checkpoint .../hosta.chkpt ... ausearch -if repository/year/month/day/hostb/auditd.log --checkpoint .../hostb.chkpt ... etc On Fri, 2020-02-28 at 10:46 +0000, MAUPERTUIS, PHILIPPE wrote: