Archiving audits daily

Saturday, 18 October 2008

Greetings,

I have a requirement to archive audits daily.  I can use the
audit tools to get all the records for a single day:

ausearch -ts 10/16/2008 00:00:00 -te 10/16/2008 23:59:60

but this returns a processed log entry.  I would like the
resulting event data to be in exactly the same format as the
original file instead so the ausearch and aureport tools
can be run directly on the resulting data file.  When I try
it with the ausearch data I get weird date results for the
start date.  I would have guessed at -u for unprocessed,
or -r for raw, but I don't see an option like this.  Is there
a way to accomplish this that I am missing?

Thanks in advance,
_____  ______________
\   / /__________   /
  | |  .  ...  .  | |    Ed Christiansen
  | | : ..   .. : | |    Group 93 ISSO/IT Team Lead
  | | .   ...   . | |
  | | : ..   .. : | |    MIT Lincoln Laboratory - Building S
  | |  ..  .  ..  | |    244 Wood St
  | | . ..   .. . | |    Lexington MA  02420-9185
  | | :.  ...  .: | |
  | | . ..  ..  . | |
  | |  .  ...  .  | |
  | |___________  | |
/_____________/ /___\

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Archiving audits daily