ausearch_add_timestamp_item - Linux

Overview

ausearch_add_timestamp_item adds a timestamp to an existing timestamp item in the audit database. The added timestamp must be strictly greater than the current timestamp for the audited item. When adding a timestamp to an item, an older timestamp is overwritten with the new timestamp.

Syntax

ausearch_add_timestamp_item [-i field] audit_item

Options/Flags

• -i field — Specifies the name of an integer field in the input file to be used as the timestamp. If not set, the timestamp field is used.

Examples

Add a timestamp to the timestamp field of the audit item with key ‘user=jdoe’:

ausearch_add_timestamp_item user=jdoe

Add a timestamp to the custom_timestamp field of the audit item with key ‘user=jdoe’:

ausearch_add_timestamp_item -i custom_timestamp user=jdoe

Common Issues

• Ensure that the timestamp being added is strictly greater than the current timestamp for the audited item.
• If the specified timestamp field does not exist, an error will be thrown.

Integration

ausearch_add_timestamp_item can be used with other Linux commands and tools for advanced tasks. For example, it can be used with the ausearch command to search for audit items, and with the ausearch_set_timestamp command to set the timestamp for an audit item.

Related Commands

• ausearch
• ausearch_set_timestamp