Seeing AIDE's report

Note that the provided commands may take some time to run (perhaps about 3 seconds, but it may be a bit longer, perhaps somewhat close to 30 seconds).

The shorter method

For those using an electronic copy of this text and who want to just easily copy and paste a single command line, and for those who prefer things to be a bit more automated (even if it involves more typing, once), the following may be done:

tail -n +$(( $( grep -n "Start timestamp: " $( ls -t /var/log/aide/aide-latest-check*.txt | head -n 1) | cut -d : -f 1 )-1 )) $( ls -t /var/log/aide/aide-latest-check*.txt | head -n 1) | ${PAGER:-less}

It is possible that no part of that needs to be customized. (The most likely part to need any customization is simply the file's path, if a different location has been used in earlier steps.)

An alternate method

If the shell does not support evaluating equations by using the above syntax, perhaps the following will work on a system that has the the bc command (pre-)installed.

tail -n +$( bc -e $( grep -n "Start timestamp: " $( ls -t /var/log/aide/aide-latest-check*.txt | head -n 1) | cut -d : -f 1 )-1 -e quit ) $( ls -t /var/log/aide/aide-latest-check*.txt | head -n 1) | ${PAGER:-less}
The long method

This shows, in a more step-by-step fashion, many of the steps used by the short method. This may show how most of the “short” method was created.

grep -n "Start timestamp: " $( ls -t /var/log/aide/aide-latest-check*.txt | head -n 1)

Example output:

1097051:Start timestamp: 2012-01-07 16:45:22

So what this shows is that the 1,097,501st line of the log is approximately where the timestamp is located.

The line number can be effectively extracted, by instead running the following command:

grep -n "Start timestamp: " $( ls -t /var/log/aide/aide-latest-check*.txt | head -n 1) | cut -d : -f 1

Actually, it may be interesting to grab one line before the timestamp, as shown in the following example which uses one number less than the previous example output.

tail -n +1097050 filename.txt

Specifically, users of OpenBSD's ksh and similar shells may be able to use this (just customizing the line number):

tail -n +1097050 $( ls -t /var/log/aide/aide-latest-check*.txt | head -n 1) | ${PAGER:-less}
Example Output

Example output:

AIDE 0.15.1 found differences between database and filesystem!!

Start timestamp: 2012-01-07 16:45:22

  Total number of files:         33270
  Added files:         13
  Removed files:         0
  Changed files:         1


The report then has sections, each of which starts with a header that begins with a row of hyphens (like the included row shown in the example). The first section might be “Added files:” and then have a line like “added: /home/newuser” or “added: /home/newuser/.profile”.

Here is some actual example output shown after the last added file:

Changed files:

changed /tmp

Detailed information about changes:

Directory: /tmp
 MTime    : 2012-01-07 14:47:44              , 2012-01-07 16:45:22
 CTime    : 2012-01-07 14:47:44              , 2012-01-07 16:45:22