Description of problem: # ausearch -m avc -if audit.log -te now -ts today 11:15:00 Invalid start date (today). Month, Day, and Year are required. (Note that '-ts 11:15:00' and letting it default to "today" *works*) However, the manpage for ausearch says: -ts [start date] [start time] Search for events with time stamps equal to or after the given end time. The format of end time depends on your locale. If the date is omitted, today is assumed. If the time is omitted, mid- night is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date is 10/24/2005. An example of time is 18:00:00. You may also use the word: now, today, and yester- day. Today means starting at 1 second after midnight. Yesterday is 1 second after midnight the previous day. Version-Release number of selected component (if applicable): audit-1.2.1-2 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
today is a full time specification, meaning that it translates to 05/12/2006 00:00:01. So, doing -ts today 11:15:00 is the same as doing 05/12/2006 00:00:01 11:15:00, which is an error. I should probably cleanup the error messages and update documentation. If you had wanted 11:15:00 on today's date, you only need to enter the time and today's date is assumed.
Could you also clarify whether the -ts option requires at least one of either the time or date? It is a confusing that -te can be used without any time specifications, but -ts requires at least one time specification of date or time. At least, this is what I see on FC5: $ ausearch -ts -ts requires either date and/or time It would be nice, and, IMO, expected to have -ts work like -te.
This was fixed in audit-1.2.7 and will be pushed into rawhide, FC-6, and FC-5. Thanks for the suggestion.