From mboxrd@z Thu Jan  1 00:00:00 1970
From: Scott Ehrlich <scott@MIT.EDU>
Subject: How to read audit log?
Date: Tue, 25 Sep 2007 09:21:59 -0400 (EDT)
Message-ID: <Pine.GSO.4.64L.0709250917510.2611@mint-square.mit.edu>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l8PDM76x025905
	for <linux-audit@redhat.com>; Tue, 25 Sep 2007 09:22:07 -0400
Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU
	[18.7.7.80])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id l8PDM6aP000321
	for <linux-audit@redhat.com>; Tue, 25 Sep 2007 09:22:06 -0400
Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103])
	by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id
	l8PDM0lo004159
	for <linux-audit@redhat.com>; Tue, 25 Sep 2007 09:22:00 -0400 (EDT)
Received: from mint-square.mit.edu (MINT-SQUARE.MIT.EDU [18.7.18.71])
	(authenticated bits=56) (User authenticated as scott@ATHENA.MIT.EDU)
	by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id l8PDLxCp019596
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <linux-audit@redhat.com>; Tue, 25 Sep 2007 09:22:00 -0400 (EDT)
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

As I've reviewed the audit log of a system with audit 1.5.2 installed, I 
discovered the format is something I wasn't used to, and performing a man 
on auditd, auditctl, and a few others didn't help clarify anything.

Could someone please produce a sample audit log line or two and break down 
what each piece means, or direct me to a web page that does so?

I had initially expected some form of date/time stamp, but looking at the 
first set of decimal-separated digits couldn't help me decipher a 
date/time.

Thanks for any assistance.

Scott