[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How to read audit log?



On Tuesday 25 September 2007 09:21:59 Scott Ehrlich wrote:
> Could someone please produce a sample audit log line or two and break down
> what each piece means, or direct me to a web page that does so?

For the quick view of your system, use the aureport program. It can give you 
summary information and produce reports for various aspects like failed 
logins or denied file accesses.

aureport --start this-month
aureport --start this-week --login --failed -i
aureport --start this-week --file --failed -i

But there comes a time when you just want to see the raw information since 
there are more details. ausearch is the tool for this. It understands the 
format of the logs and should be used to look at the logs since it can do 
interpretation of the fields and glue individual records into events.

ausearch --start today -i | less

What each field means can be found in the audit parsing library specification:

http://people.redhat.com/sgrubb/audit/audit-parse.txt

It gives an overview of the records in the top portion before it gets to the 
functions in the library.

> I had initially expected some form of date/time stamp, but looking at the
> first set of decimal-separated digits couldn't help me decipher a
> date/time.

ausearch is intended to be the audit log display tool.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]