How to read audit log?
Steve Grubb
sgrubb at redhat.com
Tue Sep 25 14:33:23 UTC 2007
On Tuesday 25 September 2007 09:21:59 Scott Ehrlich wrote:
> Could someone please produce a sample audit log line or two and break down
> what each piece means, or direct me to a web page that does so?
For the quick view of your system, use the aureport program. It can give you
summary information and produce reports for various aspects like failed
logins or denied file accesses.
aureport --start this-month
aureport --start this-week --login --failed -i
aureport --start this-week --file --failed -i
But there comes a time when you just want to see the raw information since
there are more details. ausearch is the tool for this. It understands the
format of the logs and should be used to look at the logs since it can do
interpretation of the fields and glue individual records into events.
ausearch --start today -i | less
What each field means can be found in the audit parsing library specification:
http://people.redhat.com/sgrubb/audit/audit-parse.txt
It gives an overview of the records in the top portion before it gets to the
functions in the library.
> I had initially expected some form of date/time stamp, but looking at the
> first set of decimal-separated digits couldn't help me decipher a
> date/time.
ausearch is intended to be the audit log display tool.
-Steve
More information about the Linux-audit
mailing list