[sudo-users] sudoreplay -l filter weirdness
Todd C. Miller
Todd.Miller at courtesan.com
Thu Sep 5 09:55:01 MDT 2013
On Wed, 04 Sep 2013 21:13:57 -0400, "Michael W. Lucas" wrote:
> # sudoreplay -l fromdate this week
The sudoreplay manual says:
this week
The current time but the first day of the coming week
which is confusing but that's what getdate.y does. So for instance
"this week" evaluates to "Thu Sep 5 09:43:03 MDT 2013" at this
moment for me.
The way that "this" and "next" are treated is somewhat confusing.
For instance, "this month" is the coming month and "next month" is
the one after that.
> It appears that "todate" with dates matches only before, not on, the
> given date?
>
> # sudoreplay -l todate 9/1/2013 fromdate 9/1/2013
"9/1/2013" will evaluate to "Sep 1 00:00:00 2013" so if you use
9/1/2013 for both fromdate and todate you'll only match entries at
that time exactly.
Same problem with using "yesterday" -- you are setting the fromdate and
todate to the same absolute time.
- todd
More information about the sudo-users
mailing list