Lenny, When checkpoint was initially added, such activity (one by one event consumption) was not envisaged. If this is needed I can look into providing it.
Pls advise. Rgds Burn On Wed, 2021-03-17 at 19:02 -0500, Lenny Bruzenak wrote: > I'm trying to use the ausearch checkpoint feature in conjunction with > the "--just-one" option in order to parse some events one at a time. > > However, using this I only get the first event (audit 2.8.5). > > IOW I'm doing: > > # let CNT=10 > > # while [ $CNT -gt 0 ] ; do > > > auditctl -m "Event $CNT" > > > let CNT=$CNT-1 > > > done > > # ausearch -i -ts recent --checkpoint /tmp/check --just-one -m user > > < Returns event 10 > > > but > > # ausearch -i --checkpoint /tmp/check --just-one -m user > > <no matches> > > > Thx, > > LCB >
-- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
