From mboxrd@z Thu Jan 1 00:00:00 1970 From: James Antill Subject: Re: How to read audit log? Date: Tue, 25 Sep 2007 12:43:52 -0400 Message-ID: <1190738632.22109.54.camel@code.and.org> References: <1190730861.3569.18.camel@finch.boston.redhat.com> <200709251102.32720.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1954884016==" Return-path: In-Reply-To: <200709251102.32720.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com, "Wieprecht, Karen M." List-Id: linux-audit@redhat.com --===============1954884016== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-JhWxyEd87ii7i1KrwjmS" --=-JhWxyEd87ii7i1KrwjmS Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Tue, 2007-09-25 at 11:02 -0400, Steve Grubb wrote: > > I would really like to see a sample of what the auparse output looks > > like. I have a Perl script that sucks the output of ausearch into a > > key-value hash table from which I have other code that determines how t= o > > print this in a human friendly format, but I'm wondering if auparse > > can replace that or if all it does for me is to get the information int= o > > the key-value hash table so I can decide how I want to format the outpu= t >=20 > Yes. It would let you write an app that is more efficient than using perl= on=20 > ausearch output. That's not really true, and when it is true it's only because ausearch is so slow at doing "cat": # time fgrep USER_LOGIN /var/log/audit/*=20 fgrep USER_LOGIN /var/log/audit/* 0.01s user 0.01s system 97% cpu 0.017 to= tal # time perl -ne '/^type=3DUSER_LOGIN msg=3Daudit\((\d+).* auid=3D(\d*).*\Wh= ostname=3D(\w*).*\Wterminal=3D(\S*).*\Wres=3Dsuccess\W/ && print localtime(= $1) . " - $2 - $3:$4\n"' /var/log/audit/* > /dev/null perl -ne /var/log/audit/* 0.06s user 0.01s system 99% cpu 0.074 total # time ausearch -m USER_LOGIN -i | perl -ne '/^type=3DUSER_LOGIN msg=3Daudi= t\(([^)]+).* auid=3D(\d*).*\Whostname=3D(\w*).*\Wterminal=3D(\S*).*\Wres=3D= success\W/ && print "$1 - $2 - $3:$4\n"' > /dev/null ausearch -m USER_LOGIN -i 0.28s user 0.01s system 99% cpu 0.288 total perl -ne 0.00s user 0.00s system 1% cpu 0.288 total # time ./lastlog_audit > /dev/null ./lastlog_audit 0.54s user 0.01s system 99% cpu 0.557 total # time ausearch -i | perl -ne '/^type=3DUSER_LOGIN msg=3Daudit\(([^)]+).* a= uid=3D(\d*).*\Whostname=3D(\w*).*\Wterminal=3D(\S*).*\Wres=3Dsuccess\W/ && = print "$1 - $2 - $3:$4\n"' > /dev/null ausearch -i 1.61s user 0.75s system 98% cpu 2.388 total perl -ne 0.11s user 0.05s system 6% cpu 2.386 total ...the lastlog_audit is the obvious implementation using your prodived code as a starting point: http://people.redhat.com/jantill/lastlog_audit.c --=20 James Antill --=-JhWxyEd87ii7i1KrwjmS Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQBG+TrI11eXTEMrxtQRAv3VAKCwIsuIYtRYM4qTBUUfsrslSCXKVgCgoSju 4JvpjVQ8XUITm6UYaudWmMs= =a0Bx -----END PGP SIGNATURE----- --=-JhWxyEd87ii7i1KrwjmS-- --===============1954884016== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1954884016==--