1

I want to follow my audit log live so I can watch for events, and pipe it through praudit to make it human readable. All commands below are run as root.

When I run tail -f /var/audit/current | praudit is just prints the last 5 lines and immediately exits. Whereas tail -f /var/audit/current | cat waits and prints out the raw audit log as it is written. What is the essential difference between praudit and cat? They both claim to read from stdin which they both appear to do, except praudit just gives up without waiting for an EOF? Or something?

Would love to know why this is the case, and if there's a way to get the behaviour I want somehow, preferably without having to modify praudit...

I'm on macOS 10.14.3

Sam Salisbury
  • 111

1 Answers1

0

You'll be able to achieve what you need without the additional commands (meaning cat and praudit).

Simply issuing tail -f /var/audit/current will give you the last 10 lines, and wait for further output.

EDIT1: Ok, I see why you want to use praudit. Wasn't familiar with this command myself.

EDIT2: Try this: sudo praudit /dev/auditpipe

Audit pipes are cloning pseudo-devices in the device file system which allow applications to tap the live audit record stream. This is primarily of interest to authors of intrusion detection and system monitoring applications. However, for the administrator the audit pipe device is a convenient way to allow live monitoring without running into problems with audit trail file ownership or log rotation interrupting the event stream.