ausearch如果stdin是管道，则更改其行为.如果是，它将通过标准输入而不是通过审计守护程序日志进行搜索.您可以使用--input-logs强制其从日志中读取.

ausearch changes its behavior if stdin is a pipe. If it is it searches through stdin rather than through the audit daemon logs. You can use --input-logs to force it to read from the logs.

echo "blah" | ausearch -i -a 1221217 --input-logs

重定向stdin将达到相同的目的.

Redirecting stdin would achieve the same end.

#!/bin/bash
ausearch -i -a 1221217 < /dev/null