From mboxrd@z Thu Jan  1 00:00:00 1970
From: "McCarthy, John D." <John.McCarthy@gd-ais.com>
Subject: Viewing Auditd LOG format (RHEL 4 Workstation: 64bit Kernel
	2.6.9-67)
Date: Tue, 27 May 2008 10:43:05 -0400
Message-ID: <BDC74807494BA2458E5CE2467036E276CC404C@ohdt01-mail01.ad.gd-ais.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1757496057=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m4REk5DM019170
	for <linux-audit@redhat.com>; Tue, 27 May 2008 10:46:06 -0400
Received: from casc.gd-ais.com (CAMV02-RELAY2.CASC.gd-ais.com [192.5.164.99])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m4REjZxa016610
	for <linux-audit@redhat.com>; Tue, 27 May 2008 10:45:37 -0400
Content-class: urn:content-classes:message
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

This is a multi-part message in MIME format.

--===============1757496057==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C8C007.F948EF16"

This is a multi-part message in MIME format.

------_=_NextPart_001_01C8C007.F948EF16
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

=20

Is there a way to view/change the Auditd log format so when I view the
logs they are more user friendly to read?  I think the auditd.conf file
format is FORMAT=3DRAW, is this the setting and if so can I change it so
my logs are less complicated to read.  The other log files (SYSTEM or
SECURITY) are user easy enough to read; its just the auditd.log files
are complicated.

Thank You=20

John D. McCarthy=20
Information Assurance Principal Engineer=20
General Dynamics AIS=20
5200 Springfield Pike Suite 200=20
Dayton, Ohio 45431-1289=20
Phone: 937-476-2619=20
Fax: 937-476-2542=20

=20


------_=_NextPart_001_01C8C007.F948EF16
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
p
	{mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman";}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:Arial;
	color:windowtext;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Is there a way to view/change the Auditd log format =
so when
I view the logs they are more user friendly to read?&nbsp; I think the =
auditd.conf
file format is FORMAT=3DRAW, is this the setting and if so can I change =
it so my
logs are less complicated to read.&nbsp; The other log files (SYSTEM or =
SECURITY)
are user easy enough to read; its just the auditd.log files are =
complicated.<o:p></o:p></span></font></p>

<p><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>Thank
You</span></font> <o:p></o:p></p>

<p><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>John
D. McCarthy</span></font> <br>
<font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>Information
Assurance</span></font> <font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Principal Engineer</span></font> <br>
<font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>General
Dynamics AIS</span></font> <br>
<font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>5200
Springfield Pike Suite 200</span></font> <br>
<font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>Dayton,
Ohio 45431-1289</span></font> <br>
<font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>Phone:
937-476-2619</span></font> <br>
<font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>Fax:
937-476-2542 </span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C8C007.F948EF16--


--===============1757496057==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1757496057==--

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Linda Knippers <linda.knippers@hp.com>
Subject: Re: Viewing Auditd LOG format (RHEL 4 Workstation: 64bit
	Kernel	2.6.9-67)
Date: Tue, 27 May 2008 11:40:02 -0400
Message-ID: <483C2B52.8060203@hp.com>
References: <BDC74807494BA2458E5CE2467036E276CC404C@ohdt01-mail01.ad.gd-ais.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m4RFemFY011703
	for <linux-audit@redhat.com>; Tue, 27 May 2008 11:40:48 -0400
Received: from g4t0017.houston.hp.com (g4t0017.houston.hp.com [15.201.24.20])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m4RFeHOt028758
	for <linux-audit@redhat.com>; Tue, 27 May 2008 11:40:17 -0400
In-Reply-To: <BDC74807494BA2458E5CE2467036E276CC404C@ohdt01-mail01.ad.gd-ais.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "McCarthy, John D." <John.McCarthy@gd-ais.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

McCarthy, John D. wrote:
>  
> 
> Is there a way to view/change the Auditd log format so when I view the
> logs they are more user friendly to read?  I think the auditd.conf file
> format is FORMAT=RAW, is this the setting and if so can I change it so
> my logs are less complicated to read.  The other log files (SYSTEM or
> SECURITY) are user easy enough to read; its just the auditd.log files
> are complicated.

The log_format option just lets you specify whether to log the records
or just send them to the audit dispatcher.

Have you tried using the ausearch or aureport commands to view the
logs?  They provide a variety of display/summary options.  I know
ausearch is in RHEL4 - not sure about aureport.

-- ljk
> 
> Thank You
> 
> John D. McCarthy
> Information Assurance Principal Engineer
> General Dynamics AIS
> 5200 Springfield Pike Suite 200
> Dayton, Ohio 45431-1289
> Phone: 937-476-2619
> Fax: 937-476-2542
> 
>  
> 
> 
> ------------------------------------------------------------------------
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Viewing Auditd LOG format (RHEL 4 Workstation: 64bit Kernel
	2.6.9-67)
Date: Tue, 27 May 2008 11:43:46 -0400
Message-ID: <200805271143.46946.sgrubb@redhat.com>
References: <BDC74807494BA2458E5CE2467036E276CC404C@ohdt01-mail01.ad.gd-ais.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <BDC74807494BA2458E5CE2467036E276CC404C@ohdt01-mail01.ad.gd-ais.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: "McCarthy, John D." <John.McCarthy@gd-ais.com>
List-Id: linux-audit@redhat.com

On Tuesday 27 May 2008 10:43:05 McCarthy, John D. wrote:
> Is there a way to view/change the Auditd log format so when I view the
> logs they are more user friendly to read?

Not really. The format option is really to describe any kind of change to the 
data that the audit daemon might make. raw is the only supported option. But 
others might in the future be binary or compressed.

> I think the auditd.conf file format is FORMAT=RAW, is this the setting and
> if so can I change it so my logs are less complicated to read.  

The design of the audit system is to grab the subject and its credentials and 
the object and all its permission or security related attributes and send 
that out as one event. Different hooks in the kernel create a record of what 
they see as the event occurs. So, it has this kind of fragmented view of 
subrecords. For example, syscall entry has no idea what the file permissions 
or inode is of the resolved file. The hook in the file system has no idea 
what the syscall was. So each part of the kernel contributes its own 
knowledge about the current event.

The idea is just to dump this to disk as fast as possible and rely on data 
reduction tools to make sense of it. The first program written was ausearch. 
It has the ability to group the records into an event, scan for particular 
events, and to interpret numbers to human readable form.

But this doesn't give you snapshot or summary information. aureport was the 
second tool developed to try to boil down this information into something 
more readable. (Does this one work for you?)

Writing that tool made me realize that we really need a standard parser so 
that anyone can write tools around the audit data. That work took a long time 
to get right and I think we finally have a full library that can be used to 
write the next generation of tools.

A new program, audit_viewer, was recently released based on the new parser. I 
see it as the beginning of new tools that people can write to make the audit 
data more user friendly. So far, no one has really stated what they really 
want the audit data to look like. So, its the way it is due to no input from 
people that use it and due to not having had the tools to effectively act 
upon any suggestions we might have gotten about formatting.

So, I think this project is about at the point we can write good tools. We 
need suggestions about how to present the information.

-Steve