Re: How to read audit log?

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: John Dennis <jdennis@redhat.com>
To: Scott Ehrlich <scott@MIT.EDU>
Cc: linux-audit@redhat.com
Subject: Re: How to read audit log?
Date: Tue, 25 Sep 2007 10:34:21 -0400	[thread overview]
Message-ID: <1190730861.3569.18.camel@finch.boston.redhat.com> (raw)
In-Reply-To: <Pine.GSO.4.64L.0709250917510.2611@mint-square.mit.edu>

On Tue, 2007-09-25 at 09:21 -0400, Scott Ehrlich wrote:
> As I've reviewed the audit log of a system with audit 1.5.2 installed, I 
> discovered the format is something I wasn't used to, and performing a man 
> on auditd, auditctl, and a few others didn't help clarify anything.
> 
> Could someone please produce a sample audit log line or two and break down 
> what each piece means, or direct me to a web page that does so?
> 
> I had initially expected some form of date/time stamp, but looking at the 
> first set of decimal-separated digits couldn't help me decipher a 
> date/time.

Your best bet might be to use the auparse library, or ausearch which
knows how to interpret the audit log format for you and can present the
information in a human friendly format.

type=SYSCALL msg=audit(1166045975.667:1128): foo=bar ...

But if you want to roll your own here's a quick intro using the above as
an example. Most of the data are key=value pairs. The first key is the
audit record type. In the example the audit record type is SYSCALL. Then
comes an event ID. A single event that has been audited may consist of
multiple independent records which are NOT necessarily sequentially
emitted by the audit system. The independent records must be assembled
into a set of records comprising the event. The audit(sss.mmm:xxx) is
the event ID. The first integer is a UNIX time stamp (seconds after the
epoch), the second integer is a millisecond offset, the third integer
after the colon is a sequence number to provide uniqueness to the
second.milli time stamp. Everything after that is formatted according to
the record type, but is typically a sequence of key/value pairs.

-- 
John Dennis <jdennis@redhat.com>

next prev parent reply	other threads:[~2007-09-25 14:34 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-09-25 13:21 How to read audit log? Scott Ehrlich
2007-09-25 14:33 ` Steve Grubb
2007-09-25 14:34 ` John Dennis [this message]
2007-09-25 14:50   ` Wieprecht, Karen M.
2007-09-25 15:02     ` Steve Grubb
2007-09-25 16:43       ` James Antill
2007-09-25 17:02         ` Steve Grubb
2007-09-25 17:47           ` Todd, Charles

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1190730861.3569.18.camel@finch.boston.redhat.com \
    --to=jdennis@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=scott@MIT.EDU \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox