How to read audit log?
Steve Grubb
sgrubb at redhat.com
Tue Sep 25 15:02:31 UTC 2007
On Tuesday 25 September 2007 10:50:13 Wieprecht, Karen M. wrote:
>> Your best bet might be to use the auparse library, or ausearch which
>> knows how to interpret the audit log format for you and can present the
>> information in a human friendly format.
It doesn't actually present the information in a human friendly format.
Auparse is a library that can be used to write programs to present data in a
human friendly output. But someone has to write the code. Basically, it saves
you from having to know the details of what the audit log's file format is
and present the programmer with a smart iterator that can walk the input
source.
> I would really like to see a sample of what the auparse output looks
> like. I have a Perl script that sucks the output of ausearch into a
> key-value hash table from which I have other code that determines how to
> print this in a human friendly format, but I'm wondering if auparse
> can replace that or if all it does for me is to get the information into
> the key-value hash table so I can decide how I want to format the output
Yes. It would let you write an app that is more efficient than using perl on
ausearch output.
> ... Anyone have a sample of what they have done with any particular
> record type and what auparse does with it on the output end?
For example, I decided to write a lastlog replacement that works off the audit
logs. The main code loop looks something like this:
auparse_state_t *au;
// Search for successful user logins
au = auparse_init(AUSOURCE_LOGS, NULL);
if (au == NULL) {
printf("Error - %s\n", strerror(errno));
goto error_exit_1;
}
if (ausearch_add_item(au, "type", "=", "USER_LOGIN",
AUSEARCH_RULE_CLEAR)){
printf("ausearch_add_item error - %s\n", strerror(errno));
goto error_exit_2;
}
if (ausearch_add_item(au, "res", "=", "success",
AUSEARCH_RULE_AND)){
printf("ausearch_add_item error - %s\n", strerror(errno));
goto error_exit_2;
}
if (ausearch_set_stop(au, AUSEARCH_STOP_RECORD)){
printf("ausearch_set_stop error - %s\n", strerror(errno));
goto error_exit_2;
}
// Now scan the logs and append events
while (ausearch_next_event(au) > 0) {
const au_event_t *e = auparse_get_timestamp(au);
if (auparse_find_field(au, "auid")) {
uid_t u = auparse_get_field_int(au);
list_first(&l);
if (list_find_uid(&l, u)) {
const char *str;
list_update_login(&l, e->sec);
str = auparse_find_field(au, "hostname");
if (str)
list_update_host(&l, str);
str = auparse_find_field(au, "terminal");
if (str)
list_update_term(&l, str);
}
}
auparse_next_event(au);
}
auparse_destroy(au);
At this point the program walks it linked list and outputs the data in lastlog
format. I was planning to write this program up in a tutorial at some point
so that people can see how easy auparse makes writing apps for audit logs.
-Steve
More information about the Linux-audit
mailing list