How to configure SELinux to print date and time in each entry in audit log?
Solution 1
While there aren't any options you can set to make auditd log with a human-parseable date format, if you use the 'ausearch' command to search your audit log, there is an -i
option which produces human-readable (well, perhaps slightly more human readable) output.
For example, if I ran ausearch -ts today
on my newly-booted system, I see:
# ausearch -ts today
----
time->Mon Mar 19 23:07:00 2012
type=DAEMON_START msg=audit(1332212820.421:3834): auditd start, ver=2.1.3 format=raw kernel=3.2.10-3.fc16.x86_64 auid=4294967295 pid=6438 subj=system_u:system_r:auditd_t:s0 res=success
But if I run ausearch -ts today -i
, I see:
# ausearch -ts today -i
----
type=DAEMON_START msg=audit(03/19/2012 23:07:00.421:3834) : auditd start, ver=2.1.3 format=raw kernel=3.2.10-3.fc16.x86_64 auid=unset pid=6438 subj=system_u:system_r:auditd_t:s0 res=success
Does that work for you? ausearch
is probably what you'll be using to look at audit records anyway. -i
also does stuff like uid->username lookups and other resolutions.
EDIT: You can see from the above that I'm running Fedora 16, but the same ausearch -i
applies to RHEL5.
Solution 2
That long number at the beginning is a timestamp: it's seconds since the epoch. A few moments ago, I got:
[0 1128 18:09:57] ~ % date +%s; date
1331917801
Fri Mar 16 18:10:01 CET 2012
To convert the number into something more readable, try
[0 1133 18:12:41] ~ % date -d @1331897657
Fri Mar 16 12:34:17 CET 2012
(So apparently, you'll need "usual sed
tricks" to cut off the sub-second parts.)
I don't have a SE-enabled machine handy, but maybe sealert -a
also parses the timestamps into something human-readable?
Solution 3
ausearch -i
From help:
-i,--interpret Interpret results to be human readable
that't the correct answear as jsbillings wrote.
No need to run tail -f !
P.S. Darn stack points ! That's why I couldn't comment or upvote.
Related videos on Youtube
malloc4k
Updated on September 18, 2022Comments
-
malloc4k over 1 year
I'm using CentOS 5.5 and by default my
/var/log/audit/audit.log
looks like this:type=USER_AUTH msg=audit(1331897657.359:8435): user pid=15610 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="?" : exe="/usr/sbin/sshd" (hostname=c165-130.i02-2.onvol.net, addr=213.165.165.130, terminal=ssh res=failed)' type=USER_LOGIN msg=audit(1331897657.360:8436): user pid=15610 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="oracle": exe="/usr/sbin/sshd" (hostname=?, addr=213.165.165.130, terminal=sshd res=failed)'
to be exact, log entries are written without timestamp It makes it more difficult to troubleshoot. There is a man page available
man auditd.conf
but all it says in this subject is:
log_format The log format describes how the information should be stored on disk. There are 2 options: raw and nolog. If set to RAW, the audit records will be stored in a format exactly as the kernel sends it. If this option is set to NOLOG then all audit informa- tion is discarded instead of writing to disk. This mode does not affect data sent to the audit event dispatcher.
How do I configure it to print date/time on the beginning of every entry ?
-
malloc4k about 12 yearsIn fact,
sealert
may be very powerfull tool, but it's now what I've exactly looked for. And a little digression here:sealert
generates output that looks like it's been conformed to Windows Server audit, don't You think ?