[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: a new tool
- From: John Dennis <jdennis redhat com>
- To: Josef Kubin <jkubin redhat com>
- Cc: fedora-selinux-list redhat com
- Subject: Re: a new tool
- Date: Tue, 18 Dec 2007 09:09:13 -0500
Josef Kubin wrote:
Hello,
I've just wrote a simple sed script for conversion of audit.log to html
counterpart, because the audit.log file over web is really hard to read
without highlighting by "avc: denied" substring and corresponding
timestamp group.
http://people.redhat.com/jkubin/selinux/audit2html
$ audit2html < /var/log/audit/audit.log > audit.log.html
http://people.redhat.com/jkubin/selinux/audit.log.html
http://tinyurl.com/2ek3oe
Suggestions and comments are welcomed, thank you for your feedback.
Thank you for sharing this Josef, this looks interesting and useful, but
I have a couple of questions, at least based on the example you
provided. The grouping appears to be wrong. Some items in a group share
a common timestamp, others do not and are a mix of other audit events.
Events must share a common second, millisecond, and serial number (and
host when present). I looked at the sed script to see how this was
happening but complex sed syntax is too cryptic to be readable :-( Also,
have you considered using the audit parsing library (auparse) for this
task? It is designed to make parsing audit data easy and robust (and I
dare say more readable and maintainable than sed :-)
--
John Dennis <jdennis redhat com>
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]