On Tue, 2007-09-25 at 09:21 -0400, Scott Ehrlich wrote: > As I've reviewed the audit log of a system with audit 1.5.2 installed, I > discovered the format is something I wasn't used to, and performing a man > on auditd, auditctl, and a few others didn't help clarify anything. > > Could someone please produce a sample audit log line or two and break down > what each piece means, or direct me to a web page that does so? > > I had initially expected some form of date/time stamp, but looking at the > first set of decimal-separated digits couldn't help me decipher a > date/time.
Your best bet might be to use the auparse library, or ausearch which knows how to interpret the audit log format for you and can present the information in a human friendly format. type=SYSCALL msg=audit(1166045975.667:1128): foo=bar ... But if you want to roll your own here's a quick intro using the above as an example. Most of the data are key=value pairs. The first key is the audit record type. In the example the audit record type is SYSCALL. Then comes an event ID. A single event that has been audited may consist of multiple independent records which are NOT necessarily sequentially emitted by the audit system. The independent records must be assembled into a set of records comprising the event. The audit(sss.mmm:xxx) is the event ID. The first integer is a UNIX time stamp (seconds after the epoch), the second integer is a millisecond offset, the third integer after the colon is a sequence number to provide uniqueness to the second.milli time stamp. Everything after that is formatted according to the record type, but is typically a sequence of key/value pairs. -- John Dennis <[EMAIL PROTECTED]> -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
