How to read audit log?
James Antill
jantill at redhat.com
Tue Sep 25 16:43:52 UTC 2007
On Tue, 2007-09-25 at 11:02 -0400, Steve Grubb wrote:
> > I would really like to see a sample of what the auparse output looks
> > like. I have a Perl script that sucks the output of ausearch into a
> > key-value hash table from which I have other code that determines how to
> > print this in a human friendly format, but I'm wondering if auparse
> > can replace that or if all it does for me is to get the information into
> > the key-value hash table so I can decide how I want to format the output
>
> Yes. It would let you write an app that is more efficient than using perl on
> ausearch output.
That's not really true, and when it is true it's only because ausearch
is so slow at doing "cat":
# time fgrep USER_LOGIN /var/log/audit/*
fgrep USER_LOGIN /var/log/audit/* 0.01s user 0.01s system 97% cpu 0.017 total
# time perl -ne '/^type=USER_LOGIN msg=audit\((\d+).* auid=(\d*).*\Whostname=(\w*).*\Wterminal=(\S*).*\Wres=success\W/ && print localtime($1) . " - $2 - $3:$4\n"' /var/log/audit/* > /dev/null
perl -ne /var/log/audit/* 0.06s user 0.01s system 99% cpu 0.074 total
# time ausearch -m USER_LOGIN -i | perl -ne '/^type=USER_LOGIN msg=audit\(([^)]+).* auid=(\d*).*\Whostname=(\w*).*\Wterminal=(\S*).*\Wres=success\W/ && print "$1 - $2 - $3:$4\n"' > /dev/null
ausearch -m USER_LOGIN -i 0.28s user 0.01s system 99% cpu 0.288 total
perl -ne 0.00s user 0.00s system 1% cpu 0.288 total
# time ./lastlog_audit > /dev/null
./lastlog_audit 0.54s user 0.01s system 99% cpu 0.557 total
# time ausearch -i | perl -ne '/^type=USER_LOGIN msg=audit\(([^)]+).* auid=(\d*).*\Whostname=(\w*).*\Wterminal=(\S*).*\Wres=success\W/ && print "$1 - $2 - $3:$4\n"' > /dev/null
ausearch -i 1.61s user 0.75s system 98% cpu 2.388 total
perl -ne 0.11s user 0.05s system 6% cpu 2.386 total
...the lastlog_audit is the obvious implementation using your prodived
code as a starting point:
http://people.redhat.com/jantill/lastlog_audit.c
--
James Antill <jantill at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070925/d0bbb62f/attachment.sig>
More information about the Linux-audit
mailing list