Audit log decode

Tue Sep 11 12:21:44 UTC 2018

On Tuesday, September 11, 2018 8:14:05 AM EDT khalid fahad wrote:
> Hi,
> I need help to decode the following records in audit.log. Thanks
> type=PROCTITLE msg=audit(100000000.000:000):
> proctitle=726D002F7661722F6C6F672F736563757265 type=PATH
> msg=audit(100000000.000:000): item=1 name="/var/log/secure" inode=34679270
> dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:var_log_t:s0 objtype=DELETE type=PATH
> msg=audit(100000000.000:000): item=0 name="/var/log/" inode=33586091
> dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:var_log_t:s0 objtype=PARENT type=CWD
> msg=audit(100000000.000:000):  cwd="/home/adminuser"
> type=SYSCALL msg=audit(100000000.000:000): arch=c000003e syscall=263
> success=no exit=-13 a0=ffffffffffffff9c a1=b830c0 a2=0 a3=7ffc9bd9d600
> items=2 ppid=3493 pid=35055 auid=1000 uid=1000 gid=1000 euid=1000
> suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=1
> comm="rm" exe="/usr/bin/rm"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key="secure_log"

The ausearch program is able to decode this and is meant to display the audit 
loags. If you have that in a file named log, you can just do something like 

ausearch -if log -i

and that should decode your event.

-Steve