How to read audit log?

How to read audit log?

[Scott Ehrlich]

As I've reviewed the audit log of a system with audit 1.5.2 installed, I 
discovered the format is something I wasn't used to, and performing a man 
on auditd, auditctl, and a few others didn't help clarify anything.

Could someone please produce a sample audit log line or two and break down 
what each piece means, or direct me to a web page that does so?

I had initially expected some form of date/time stamp, but looking at the 
first set of decimal-separated digits couldn't help me decipher a 
date/time.

Thanks for any assistance.

Scott

Re: How to read audit log?

[Steve Grubb]

On Tuesday 25 September 2007 09:21:59 Scott Ehrlich wrote:
> Could someone please produce a sample audit log line or two and break down
> what each piece means, or direct me to a web page that does so?

For the quick view of your system, use the aureport program. It can give you 
summary information and produce reports for various aspects like failed 
logins or denied file accesses.

aureport --start this-month
aureport --start this-week --login --failed -i
aureport --start this-week --file --failed -i

But there comes a time when you just want to see the raw information since 
there are more details. ausearch is the tool for this. It understands the 
format of the logs and should be used to look at the logs since it can do 
interpretation of the fields and glue individual records into events.

ausearch --start today -i | less

What each field means can be found in the audit parsing library specification:

http://people.redhat.com/sgrubb/audit/audit-parse.txt

It gives an overview of the records in the top portion before it gets to the 
functions in the library.

> I had initially expected some form of date/time stamp, but looking at the
> first set of decimal-separated digits couldn't help me decipher a
> date/time.

ausearch is intended to be the audit log display tool.

-Steve

Re: How to read audit log?

[John Dennis]

On Tue, 2007-09-25 at 09:21 -0400, Scott Ehrlich wrote:
> As I've reviewed the audit log of a system with audit 1.5.2 installed, I 
> discovered the format is something I wasn't used to, and performing a man 
> on auditd, auditctl, and a few others didn't help clarify anything.
> 
> Could someone please produce a sample audit log line or two and break down 
> what each piece means, or direct me to a web page that does so?
> 
> I had initially expected some form of date/time stamp, but looking at the 
> first set of decimal-separated digits couldn't help me decipher a 
> date/time.

Your best bet might be to use the auparse library, or ausearch which
knows how to interpret the audit log format for you and can present the
information in a human friendly format.

type=SYSCALL msg=audit(1166045975.667:1128): foo=bar ...

But if you want to roll your own here's a quick intro using the above as
an example. Most of the data are key=value pairs. The first key is the
audit record type. In the example the audit record type is SYSCALL. Then
comes an event ID. A single event that has been audited may consist of
multiple independent records which are NOT necessarily sequentially
emitted by the audit system. The independent records must be assembled
into a set of records comprising the event. The audit(sss.mmm:xxx) is
the event ID. The first integer is a UNIX time stamp (seconds after the
epoch), the second integer is a millisecond offset, the third integer
after the colon is a sequence number to provide uniqueness to the
second.milli time stamp. Everything after that is formatted according to
the record type, but is typically a sequence of key/value pairs.



-- 
John Dennis <jdennis@redhat.com>

RE: How to read audit log?

[Wieprecht, Karen M.]

>>  Your best bet might be to use the auparse library, or ausearch which
knows how to interpret the audit log format for you and can present the
>>  information in a human friendly format.

I would really like to see a sample of what the auparse output looks
like.   I have a Perl script that sucks the output of ausearch into a
key-value hash table from which I have other code that determines how to
print this in  a human friendly format,  but I'm wondering if auparse
can replace that or if all it does for me is to get the information into
the key-value hash table so I can decide how I want to format the output
... Anyone have a sample of what they have done with any particular
record type and what auparse does with it on the output end?   

Thanks,

Karen Wieprecht 

Re: How to read audit log?

[Steve Grubb]

On Tuesday 25 September 2007 10:50:13 Wieprecht, Karen M. wrote:
>> Your best bet might be to use the auparse library, or ausearch which
>> knows how to interpret the audit log format for you and can present the
>>  information in a human friendly format.

It doesn't actually present the information in a human friendly format. 
Auparse is a library that can be used to write programs to present data in a 
human friendly output. But someone has to write the code. Basically, it saves 
you from having to know the details of what the audit log's file format is 
and present the programmer with a smart iterator that can walk the input 
source. 

> I would really like to see a sample of what the auparse output looks
> like.   I have a Perl script that sucks the output of ausearch into a
> key-value hash table from which I have other code that determines how to
> print this in  a human friendly format,  but I'm wondering if auparse
> can replace that or if all it does for me is to get the information into
> the key-value hash table so I can decide how I want to format the output

Yes. It would let you write an app that is more efficient than using perl on 
ausearch output.

> ... Anyone have a sample of what they have done with any particular
> record type and what auparse does with it on the output end?

For example, I decided to write a lastlog replacement that works off the audit 
logs. The main code loop looks something like this:

        auparse_state_t *au;

        // Search for successful user logins
        au = auparse_init(AUSOURCE_LOGS, NULL);
        if (au == NULL) {
                printf("Error - %s\n", strerror(errno));
                goto error_exit_1;
        }
        if (ausearch_add_item(au, "type", "=", "USER_LOGIN",
                                                 AUSEARCH_RULE_CLEAR)){
                printf("ausearch_add_item error - %s\n", strerror(errno));
                goto error_exit_2;
        }
        if (ausearch_add_item(au, "res", "=", "success",
                                                 AUSEARCH_RULE_AND)){
                printf("ausearch_add_item error - %s\n", strerror(errno));
                goto error_exit_2;
        }
        if (ausearch_set_stop(au, AUSEARCH_STOP_RECORD)){
                printf("ausearch_set_stop error - %s\n", strerror(errno));
                goto error_exit_2;
        }

        // Now scan the logs and append events
        while (ausearch_next_event(au) > 0) {
                const au_event_t *e = auparse_get_timestamp(au);
                if (auparse_find_field(au, "auid")) {
                        uid_t u = auparse_get_field_int(au);
                        list_first(&l);
                        if (list_find_uid(&l, u)) {
                                const char *str;

                                list_update_login(&l, e->sec);
                                str = auparse_find_field(au, "hostname");
                                if (str)
                                        list_update_host(&l, str);
                                str = auparse_find_field(au, "terminal");
                                if (str)
                                        list_update_term(&l, str);
                        }
                }
                auparse_next_event(au);
        }
        auparse_destroy(au);


At this point the program walks it linked list and outputs the data in lastlog 
format. I was planning to write this program up in a tutorial at some point 
so that people can see how easy auparse makes writing apps for audit logs.

-Steve

Re: How to read audit log?

[James Antill]

[-- Attachment #1.1: Type: text/plain, Size: 2026 bytes --]

On Tue, 2007-09-25 at 11:02 -0400, Steve Grubb wrote:

> > I would really like to see a sample of what the auparse output looks
> > like.   I have a Perl script that sucks the output of ausearch into a
> > key-value hash table from which I have other code that determines how to
> > print this in  a human friendly format,  but I'm wondering if auparse
> > can replace that or if all it does for me is to get the information into
> > the key-value hash table so I can decide how I want to format the output
> 
> Yes. It would let you write an app that is more efficient than using perl on 
> ausearch output.

 That's not really true, and when it is true it's only because ausearch
is so slow at doing "cat":

# time fgrep USER_LOGIN /var/log/audit/* 
fgrep USER_LOGIN /var/log/audit/*  0.01s user 0.01s system 97% cpu 0.017 total

# time perl -ne '/^type=USER_LOGIN msg=audit\((\d+).* auid=(\d*).*\Whostname=(\w*).*\Wterminal=(\S*).*\Wres=success\W/ && print localtime($1) . " - $2 - $3:$4\n"' /var/log/audit/*  > /dev/null
perl -ne  /var/log/audit/*  0.06s user 0.01s system 99% cpu 0.074 total

# time ausearch -m USER_LOGIN -i | perl -ne '/^type=USER_LOGIN msg=audit\(([^)]+).* auid=(\d*).*\Whostname=(\w*).*\Wterminal=(\S*).*\Wres=success\W/ && print "$1 - $2 - $3:$4\n"' > /dev/null
ausearch -m USER_LOGIN -i  0.28s user 0.01s system 99% cpu 0.288 total
perl -ne   0.00s user 0.00s system 1% cpu 0.288 total

# time ./lastlog_audit > /dev/null
./lastlog_audit  0.54s user 0.01s system 99% cpu 0.557 total

# time ausearch -i | perl -ne '/^type=USER_LOGIN msg=audit\(([^)]+).* auid=(\d*).*\Whostname=(\w*).*\Wterminal=(\S*).*\Wres=success\W/ && print "$1 - $2 - $3:$4\n"' > /dev/null
ausearch -i  1.61s user 0.75s system 98% cpu 2.388 total
perl -ne   0.11s user 0.05s system 6% cpu 2.386 total

...the lastlog_audit is the obvious implementation using your prodived
code as a starting point:

http://people.redhat.com/jantill/lastlog_audit.c

-- 
James Antill <jantill@redhat.com>

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: How to read audit log?

[Steve Grubb]

On Tuesday 25 September 2007 12:43:52 James Antill wrote:
> > Yes. It would let you write an app that is more efficient than using perl
> > on ausearch output.
>
>  That's not really true,

Sure it is. perl cannot do the interpretations. So you'd have to spend time 
writing all that code and maintain it or use ausearch to provide you that 
functionality.

>  and when it is true it's only because ausearch is so slow at doing "cat":

It does a lot more than "cat". For example, it understands the ordering 
requirements of the logs and searches them in the correct order. It also 
assembles the records into an event before presenting them. It interprets 
some of the data so that its more usable even if you don't ask for a full 
interpretation.

-Steve

RE: How to read audit log?

[Todd, Charles]

> -----Original Message-----
> It also assembles the records into an 
> event before presenting them. It interprets some of the data 
> so that its more usable even if you don't ask for a full 
> interpretation.
> 
> -Steve

Steve,
On my 1.0.15 installation, I did some quick scraping to see if audit
trail records could be split after ausearch was done processing them,
and yes, they can be split.  I'm fine with the the raw logs not
necessarily being joined, but this was the output from ausearch.  It did
it even when I asked for the split record by event id, that is, it still
split them into separate records.  I estimate that this is really only
for about 0.5% of the records though, and it may be tied to my
particular version.

This does make it difficult to know that I haven't missed anything. 

Thanks,
Charlie Todd 
Ball Aerospace & Technologies Corp.  
 



This message and any enclosures are intended only for the addressee.  Please  
notify the sender by email if you are not the intended recipient.  If you are  
not the intended recipient, you may not use, copy, disclose, or distribute this  
message or its contents or enclosures to any other person and any such actions  
may be unlawful.  Ball reserves the right to monitor and review all messages  
and enclosures sent to or from this email address.