Why does `tail -f /var/audit/current | praudit` just print 5 lines and exit immediately?












1















I want to follow my audit log live so I can watch for events, and pipe it through praudit to make it human readable. All commands below are run as root.



When I run tail -f /var/audit/current | praudit is just prints the last 5 lines and immediately exits. Whereas tail -f /var/audit/current | cat waits and prints out the raw audit log as it is written. What is the essential difference between praudit and cat? They both claim to read from stdin which they both appear to do, except praudit just gives up without waiting for an EOF? Or something?



Would love to know why this is the case, and if there's a way to get the behaviour I want somehow, preferably without having to modify praudit...



I'm on macOS 10.14.3






macos bash tail auditd darwin







share|improve this question























  • So, I found a tool that lets me stream realtime audit logs from /dev/auditpipe instead: newosxbook.com/tools/supraudit.html still curious on the oddities of praudit not waiting on more input though.

    – Sam Salisbury
    Feb 15 at 14:47


















1















I want to follow my audit log live so I can watch for events, and pipe it through praudit to make it human readable. All commands below are run as root.



When I run tail -f /var/audit/current | praudit is just prints the last 5 lines and immediately exits. Whereas tail -f /var/audit/current | cat waits and prints out the raw audit log as it is written. What is the essential difference between praudit and cat? They both claim to read from stdin which they both appear to do, except praudit just gives up without waiting for an EOF? Or something?



Would love to know why this is the case, and if there's a way to get the behaviour I want somehow, preferably without having to modify praudit...



I'm on macOS 10.14.3






macos bash tail auditd darwin







share|improve this question























  • So, I found a tool that lets me stream realtime audit logs from /dev/auditpipe instead: newosxbook.com/tools/supraudit.html still curious on the oddities of praudit not waiting on more input though.

    – Sam Salisbury
    Feb 15 at 14:47
















1












1








1








I want to follow my audit log live so I can watch for events, and pipe it through praudit to make it human readable. All commands below are run as root.



When I run tail -f /var/audit/current | praudit is just prints the last 5 lines and immediately exits. Whereas tail -f /var/audit/current | cat waits and prints out the raw audit log as it is written. What is the essential difference between praudit and cat? They both claim to read from stdin which they both appear to do, except praudit just gives up without waiting for an EOF? Or something?



Would love to know why this is the case, and if there's a way to get the behaviour I want somehow, preferably without having to modify praudit...



I'm on macOS 10.14.3






macos bash tail auditd darwin







share|improve this question














I want to follow my audit log live so I can watch for events, and pipe it through praudit to make it human readable. All commands below are run as root.



When I run tail -f /var/audit/current | praudit is just prints the last 5 lines and immediately exits. Whereas tail -f /var/audit/current | cat waits and prints out the raw audit log as it is written. What is the essential difference between praudit and cat? They both claim to read from stdin which they both appear to do, except praudit just gives up without waiting for an EOF? Or something?



Would love to know why this is the case, and if there's a way to get the behaviour I want somehow, preferably without having to modify praudit...



I'm on macOS 10.14.3






macos bash tail auditd darwin




macos bash tail auditd darwin






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Feb 15 at 12:39









Sam SalisburySam Salisbury

1065




1065













  • So, I found a tool that lets me stream realtime audit logs from /dev/auditpipe instead: newosxbook.com/tools/supraudit.html still curious on the oddities of praudit not waiting on more input though.

    – Sam Salisbury
    Feb 15 at 14:47





















  • So, I found a tool that lets me stream realtime audit logs from /dev/auditpipe instead: newosxbook.com/tools/supraudit.html still curious on the oddities of praudit not waiting on more input though.

    – Sam Salisbury
    Feb 15 at 14:47



















So, I found a tool that lets me stream realtime audit logs from /dev/auditpipe instead: newosxbook.com/tools/supraudit.html still curious on the oddities of praudit not waiting on more input though.

– Sam Salisbury
Feb 15 at 14:47







So, I found a tool that lets me stream realtime audit logs from /dev/auditpipe instead: newosxbook.com/tools/supraudit.html still curious on the oddities of praudit not waiting on more input though.

– Sam Salisbury
Feb 15 at 14:47












1 Answer
1






active

oldest

votes


















0














You'll be able to achieve what you need without the additional commands (meaning cat and praudit).



Simply issuing tail -f /var/audit/current will give you the last 10 lines, and wait for further output.



EDIT1:
Ok, I see why you want to use praudit. Wasn't familiar with this command myself.



EDIT2:
Try this:
sudo praudit /dev/auditpipe




Audit pipes are cloning pseudo-devices in the device file system which
allow applications to tap the live audit record stream. This is
primarily of interest to authors of intrusion detection and system
monitoring applications. However, for the administrator the audit pipe
device is a convenient way to allow live monitoring without running
into problems with audit trail file ownership or log rotation
interrupting the event stream.







share|improve this answer


























  • Did you actually try sudo praudit /dev/auditpipe ? It doesn't work without opening the file specially using ioctls. See comment on the question above, there is a tool supraudit which can open that file sending the right ioctls to actually get output.

    – Sam Salisbury
    Feb 15 at 15:07











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1406083%2fwhy-does-tail-f-var-audit-current-praudit-just-print-5-lines-and-exit-imme%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














You'll be able to achieve what you need without the additional commands (meaning cat and praudit).



Simply issuing tail -f /var/audit/current will give you the last 10 lines, and wait for further output.



EDIT1:
Ok, I see why you want to use praudit. Wasn't familiar with this command myself.



EDIT2:
Try this:
sudo praudit /dev/auditpipe




Audit pipes are cloning pseudo-devices in the device file system which
allow applications to tap the live audit record stream. This is
primarily of interest to authors of intrusion detection and system
monitoring applications. However, for the administrator the audit pipe
device is a convenient way to allow live monitoring without running
into problems with audit trail file ownership or log rotation
interrupting the event stream.







share|improve this answer


























  • Did you actually try sudo praudit /dev/auditpipe ? It doesn't work without opening the file specially using ioctls. See comment on the question above, there is a tool supraudit which can open that file sending the right ioctls to actually get output.

    – Sam Salisbury
    Feb 15 at 15:07
















0














You'll be able to achieve what you need without the additional commands (meaning cat and praudit).



Simply issuing tail -f /var/audit/current will give you the last 10 lines, and wait for further output.



EDIT1:
Ok, I see why you want to use praudit. Wasn't familiar with this command myself.



EDIT2:
Try this:
sudo praudit /dev/auditpipe




Audit pipes are cloning pseudo-devices in the device file system which
allow applications to tap the live audit record stream. This is
primarily of interest to authors of intrusion detection and system
monitoring applications. However, for the administrator the audit pipe
device is a convenient way to allow live monitoring without running
into problems with audit trail file ownership or log rotation
interrupting the event stream.







share|improve this answer


























  • Did you actually try sudo praudit /dev/auditpipe ? It doesn't work without opening the file specially using ioctls. See comment on the question above, there is a tool supraudit which can open that file sending the right ioctls to actually get output.

    – Sam Salisbury
    Feb 15 at 15:07














0












0








0







You'll be able to achieve what you need without the additional commands (meaning cat and praudit).



Simply issuing tail -f /var/audit/current will give you the last 10 lines, and wait for further output.



EDIT1:
Ok, I see why you want to use praudit. Wasn't familiar with this command myself.



EDIT2:
Try this:
sudo praudit /dev/auditpipe




Audit pipes are cloning pseudo-devices in the device file system which
allow applications to tap the live audit record stream. This is
primarily of interest to authors of intrusion detection and system
monitoring applications. However, for the administrator the audit pipe
device is a convenient way to allow live monitoring without running
into problems with audit trail file ownership or log rotation
interrupting the event stream.







share|improve this answer















You'll be able to achieve what you need without the additional commands (meaning cat and praudit).



Simply issuing tail -f /var/audit/current will give you the last 10 lines, and wait for further output.



EDIT1:
Ok, I see why you want to use praudit. Wasn't familiar with this command myself.



EDIT2:
Try this:
sudo praudit /dev/auditpipe




Audit pipes are cloning pseudo-devices in the device file system which
allow applications to tap the live audit record stream. This is
primarily of interest to authors of intrusion detection and system
monitoring applications. However, for the administrator the audit pipe
device is a convenient way to allow live monitoring without running
into problems with audit trail file ownership or log rotation
interrupting the event stream.








share|improve this answer














share|improve this answer



share|improve this answer








edited Feb 15 at 15:03

























answered Feb 15 at 14:27









relevantRoperelevantRope

13




13













  • Did you actually try sudo praudit /dev/auditpipe ? It doesn't work without opening the file specially using ioctls. See comment on the question above, there is a tool supraudit which can open that file sending the right ioctls to actually get output.

    – Sam Salisbury
    Feb 15 at 15:07



















  • Did you actually try sudo praudit /dev/auditpipe ? It doesn't work without opening the file specially using ioctls. See comment on the question above, there is a tool supraudit which can open that file sending the right ioctls to actually get output.

    – Sam Salisbury
    Feb 15 at 15:07

















Did you actually try sudo praudit /dev/auditpipe ? It doesn't work without opening the file specially using ioctls. See comment on the question above, there is a tool supraudit which can open that file sending the right ioctls to actually get output.

– Sam Salisbury
Feb 15 at 15:07





Did you actually try sudo praudit /dev/auditpipe ? It doesn't work without opening the file specially using ioctls. See comment on the question above, there is a tool supraudit which can open that file sending the right ioctls to actually get output.

– Sam Salisbury
Feb 15 at 15:07


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1406083%2fwhy-does-tail-f-var-audit-current-praudit-just-print-5-lines-and-exit-imme%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Probability when a professor distributes a quiz and homework assignment to a class of n students.

Image
0 0 $begingroup$ Need help with this problem. Suppose our lazy professor collects a quiz and a homework assignment from a class of n students one day, then distributes both the quizzes and the homework assignments back to the class in a random fashion for grading. Each student receives one quiz and one homework assignment to grade. (a) What is the probability that every student receives someone else's quiz to grade, and someone else's homework to grade? (b) What is the probability that no student receives both their own quiz and their own homework assignment to grade? In this case, some students may receive their own quiz, and others may receive their own homework assignment. (c) Compute the limiting probability as n approaches infinity in each case. ...
Read more

Aardman Animations

Image
Aardman Animations, Ltd. Aardman Animations Tipo privada Atividade Animação em stop-motion , Animação em CGI Fundação 1972 Fundador(es) Peter Lord David Sproxton Sede Bristol, Inglaterra  Reino Unido Proprietário(s) Dreamworks Pessoas-chave Peter Lord David Sproxton Nick Park Divisões Aardman Features Aardman Digital Aardman Commercials Aardman Broadcast Aardman International Aardman Rights Aardman Effects Aardman 3-D Systems Aardman Nathan Love AardBoiled Website oficial aardman.com ...
Read more

Are they similar matrix

Image
0 $begingroup$ Do $begin{bmatrix} 0&i&0\0&0&1\0&0&0 end{bmatrix} $ and $begin{bmatrix} 0&0&0\-i&0&0\0&1&0 end{bmatrix} $ are similar.Is this True/false Clearly both are nilpotent and one is conjucate transpose of other but how to know if they are similar.i'm stuck. Please help me linear-algebra vector-spaces eigenvalues-eigenvectors generalizedeigenvector share | cite | improve this question edited Dec 10 '18 at 6:38 Vasanth Kris asked Dec 10 '18 at 6:19 ...
Read more