ausearch: NOT operator in string match

When examining network activity logs from audit, I want to exclude a few programs I know, e.g. firefox.

ausearch -x firefox -i

brings up all firefox-related connections. But common NOT-operators seem to fail:

ausearch -x=!fire
ausearch -x !fire
ausearch -x ^[fire]

How to NOT match a string in ausearch?

Note: this is not about defining the logging rules to exclude programs, but just filtering on the logs themselves.

Asked By: FelixJN


Possible workaround using awk (GNU version). Making use of ausearch separating blocks with ----.

ausearch -i | awk 'BEGIN { RS="----" } ; !/firefox/'  
Answered By: FelixJN
Categories: Answers Tags: ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.