auditd log files

auditd log files

[Brian Ross]

[-- Attachment #1.1.1: Type: text/plain, Size: 1550 bytes --]

I would like to know how I can read the auditd log files stored in /var/log/audit.d.

I have a problem where the auditd system seems to go haywire, fills the /var filesystem up to its maximum allowed 80% and then starts to try and delete the old log files but the /var filesystem keeps filling up, at which point it ceases execution and then I have SysEdge reporting a massive CPU load and the whole server locks up.

I believe the auditd system's behavior is symptomatic, rather than the cause of the problem.   I note that the auditd log files are in some binary format.  Is there a means to read them?


cheers

Brian Ross
Technical Consultant

ASG Group Limited
Level 1 / 267 St Georges Tce.
Perth, WA, 6000
Telephone            +61 8 9420 5451
Mobile                   +61 0434 181 701
Facsimile              +61 8 9420 5422
Brian.Ross@asggroup.com.au<mailto:DooWhan.Kweon@asggroup.com.au>
http://www.asggroup.com.au/

[cid:image001.gif@01CBDE5F.519A30B0]
Confidentiality Notice: The information contained in this message is strictly confidential. It is intended only for the use of the individual or entity named above. If the reader is not the intended recipient, or the authorised agent thereof, you are hereby notified that any disclosure, use, distribution or copying of the within information is strictly prohibited. If you have received this message in error, please notify us immediately by telephone and delete all copies of the original message.
P PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL


[-- Attachment #1.1.2: Type: text/html, Size: 7306 bytes --]

[-- Attachment #1.2: image001.gif --]
[-- Type: image/gif, Size: 5851 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auditd log files

[Steve Grubb]

On Wednesday, March 09, 2011 12:46:26 am Brian Ross wrote:
> I would like to know how I can read the auditd log files stored in
> /var/log/audit.d.

Ausearch is the utility that is meant to display the individual records. However, I 
would start any investigation with aureport --start today --summary   and then see 
what category is having the most events. Each category has its own report. Each report 
has 2 modes, summary and all events. I use the summary to get an idea and then move to 
ausearch when I need to. I have some notes on doing an investigation in the 
audit.rules man page.

Also, The audit daemon is recommended to have /var/log/audit as its own partition to 
prevent problems like you are seeing. It also makes the audit daemon's operation 
better because it calculates the amount of space left for the actions programmed in 
for space_left_action and disk_full_action.

> I have a problem where the auditd system seems to go haywire, fills the
> /var filesystem up to its maximum allowed 80% and then starts to try and
> delete the old log files but the /var filesystem keeps filling up, at
> which point it ceases execution and then I have SysEdge reporting a
> massive CPU load and the whole server locks up.
> 
> I believe the auditd system's behavior is symptomatic, rather than the
> cause of the problem.   I note that the auditd log files are in some
> binary format.  Is there a means to read them?

They are text records with an occasional field in a special encoding to prevent log 
injection attacks. 

-Steve