From: James Antill <jantill@redhat.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com, "Wieprecht,
Karen M." <Karen.Wieprecht@jhuapl.edu>
Subject: Re: How to read audit log?
Date: Tue, 25 Sep 2007 12:43:52 -0400 [thread overview]
Message-ID: <1190738632.22109.54.camel@code.and.org> (raw)
In-Reply-To: <200709251102.32720.sgrubb@redhat.com>
[-- Attachment #1.1: Type: text/plain, Size: 2026 bytes --]
On Tue, 2007-09-25 at 11:02 -0400, Steve Grubb wrote:
> > I would really like to see a sample of what the auparse output looks
> > like. I have a Perl script that sucks the output of ausearch into a
> > key-value hash table from which I have other code that determines how to
> > print this in a human friendly format, but I'm wondering if auparse
> > can replace that or if all it does for me is to get the information into
> > the key-value hash table so I can decide how I want to format the output
>
> Yes. It would let you write an app that is more efficient than using perl on
> ausearch output.
That's not really true, and when it is true it's only because ausearch
is so slow at doing "cat":
# time fgrep USER_LOGIN /var/log/audit/*
fgrep USER_LOGIN /var/log/audit/* 0.01s user 0.01s system 97% cpu 0.017 total
# time perl -ne '/^type=USER_LOGIN msg=audit\((\d+).* auid=(\d*).*\Whostname=(\w*).*\Wterminal=(\S*).*\Wres=success\W/ && print localtime($1) . " - $2 - $3:$4\n"' /var/log/audit/* > /dev/null
perl -ne /var/log/audit/* 0.06s user 0.01s system 99% cpu 0.074 total
# time ausearch -m USER_LOGIN -i | perl -ne '/^type=USER_LOGIN msg=audit\(([^)]+).* auid=(\d*).*\Whostname=(\w*).*\Wterminal=(\S*).*\Wres=success\W/ && print "$1 - $2 - $3:$4\n"' > /dev/null
ausearch -m USER_LOGIN -i 0.28s user 0.01s system 99% cpu 0.288 total
perl -ne 0.00s user 0.00s system 1% cpu 0.288 total
# time ./lastlog_audit > /dev/null
./lastlog_audit 0.54s user 0.01s system 99% cpu 0.557 total
# time ausearch -i | perl -ne '/^type=USER_LOGIN msg=audit\(([^)]+).* auid=(\d*).*\Whostname=(\w*).*\Wterminal=(\S*).*\Wres=success\W/ && print "$1 - $2 - $3:$4\n"' > /dev/null
ausearch -i 1.61s user 0.75s system 98% cpu 2.388 total
perl -ne 0.11s user 0.05s system 6% cpu 2.386 total
...the lastlog_audit is the obvious implementation using your prodived
code as a starting point:
http://people.redhat.com/jantill/lastlog_audit.c
--
James Antill <jantill@redhat.com>
[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2007-09-25 16:43 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-25 13:21 How to read audit log? Scott Ehrlich
2007-09-25 14:33 ` Steve Grubb
2007-09-25 14:34 ` John Dennis
2007-09-25 14:50 ` Wieprecht, Karen M.
2007-09-25 15:02 ` Steve Grubb
2007-09-25 16:43 ` James Antill [this message]
2007-09-25 17:02 ` Steve Grubb
2007-09-25 17:47 ` Todd, Charles
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1190738632.22109.54.camel@code.and.org \
--to=jantill@redhat.com \
--cc=Karen.Wieprecht@jhuapl.edu \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.