Hello
The way the script is constructed makes it consume a lot of CPU when audit logs are big (100M). Because it reads the whole file, skipping line by line.
I have this proposal:
TAIL_SIZE=$((FILE_LINES-SEEK))
if [ $TAIL_SIZE -gt 0 ]; then
exec 3<&0
exec 0<`tail -$TAIL_SIZE $AUDIT_FILE`
while read -r line
do
echo $line | tee $TEE_DEST | /sbin/ausearch -i 2>/dev/null | grep -v '^----'
done
exec 0<&3
fi
This way resource usage is quite lower.
will this script be updated anytime soon?
regards,
gabriel
... View more