There is a utility ausearch that fulfills this. For example, if you know the
event you are looking for is between 8:30 & 9:00, the syntax is this:

ausearch -ts 08:30:00 -te 09:00:00

If you want all records to now. Check and see what time it is. For example 8:50

ausearch -te 08:50:00

Sample record:

----
time->Sun Apr 24 13:59:15 2005
type=KERNEL msg=audit(1114365555.724:10300557): syscall=39 arch=40000003
success=yes exit=0 a0=bffed9d0 a1=b6cff4 a2=804847c a3=0 items=1 pid=16601
loginuid=4325 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
type=KERNEL msg=audit(1114365555.724:10300557): item=0 name="/tmp/config3"
inode=2 dev=03:08 mode=041777 uid=0 gid=0 rdev=00:00


ausearch is slated to have more improvements that makes the whole record easy to
understand.

That seems fine, though actually formatting the date is what's important to me.

though if those "-ts" and "-te" options are not proper GNU getopt_long-style
--long-options then please make them so to be consistent with 95% of the rest of
the distro!

i.e. much preferable syntax:

ausearch --since 08:00 --earlier 09:00
== ausearch -s 08:00 -e 09:00

>That seems fine, though actually formatting the date is what's important to me.

What is missing? What do you want to see?

>though if those "-ts" and "-te" options are not proper GNU getopt_long-style
>--long-options then please make them so to be consistent with 95% of the rest 
>of the distro!

This is not likely to happen in the near future. I have real bugs and
functionality that's simply missing that has to be done real soon. I also did
not want the commandline option mess that auditctl became (before I took it over).

Sorry I missed the "time->" part, never mind me :)

I added a -i commandline option for ausearch. This interprets all numeric
information into human readable text.

type=USER_AUTH msg=audit(06/02/05 16:37:06.836:2403073) : user pid=2795
uid=sgrubb auid=sgrubb msg='PAM authentication: user=root exe="/bin/su"
(hostname=?, addr=?, terminal=pts/1 result=Success)'