LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   How can I read the audit time stamp? msg=audit(1213186256.105:20663) (https://www.linuxquestions.org/questions/linux-software-2/how-can-i-read-the-audit-time-stamp-msg%3Daudit-1213186256-105-20663-a-648547/)

abefroman 06-11-2008 07:14 AM
How can I read the audit time stamp? msg=audit(1213186256.105:20663)
 
How can I read the audit time stamp? msg=audit(1213186256.105:20663)

MensaWater 06-11-2008 07:49 AM
The log it came from may make a difference. Audit log for what?

Assuming the stuff before the dot is the epoch (seconds since 1970) then you can run this little script on it:

epoch_converter.pl
Code:
#!/usr/sbin/perl
print scalar localtime $ARGV[0];
print "\n"
Running epoch_converter.pl 1213186256 results in:
Wed Jun 11 08:10:56 2008
So if that is epoch then the message occurred today at 8:10:56 (AM).

The 20663 might be a PID.

The 105 may be an internal log sequence number.

Of course all of those guesses might be wrong - it depends a lot on what application created the log entry. Many programs do use epoch for log entries.

unSpawn 06-11-2008 08:29 AM
Quote:
Originally Posted by jlightner (Post 3181513)
The log it came from may make a difference.
It's Linux kernel audit messages as in SELinux/Auditd.

BTW I posted an example of how to de-obfuscate audit.log here: http://www.linuxquestions.org/questi...68#post3166168.

lavermil 04-21-2011 06:37 PM
I know this is a really old post but it got me pointed in the right direction.

Here is a simple Perl script to do it nicely.

Code:
while(<DATA>)
{
  chomp;
  if ( /(.*msg=audit\()(\d+)(\.\d+:\d+.*)/ )
  {
    $td = scalar localtime $2;
    print "$1$td$3\n";
  }
}

__DATA__
type=SYSCALL msg=audit(1302896047.473:1064090): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=b4316fb0 a2=1d73f0 a3=1c items=0 ppid=1 pid=9002 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="something" exe="/usr/local/sbin/something" subj=user_u:system_r:initrc_t:s0 key=(null)
type=SYSCALL msg=audit(1302896761.743:1064107): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=b42fbfb0 a2=6dd3f0 a3=1b items=0 ppid=1 pid=9090 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="something" exe="/usr/local/sbin/something" subj=user_u:system_r:initrc_t:s0 key=(null)
type=SYSCALL msg=audit(1303393962.726:1070068): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=b43bafb0 a2=f593f0 a3=1b items=0 ppid=1 pid=8035 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="something" exe="/usr/local/sbin/something" subj=user_u:system_r:initrc_t:s0 key=(null)
Usable code:
Code:
sudo cat /var/log/audit/audit.log | perl -ne 'chomp; if ( /(.*msg=audit\()(\d+)(\.\d+:\d+.*)/ ) { $td = scalar localtime $2; print "$1$td$3\n"; }'
If you want a script to check all of your audit logs try this.
Note: I know there is ausearch but it doesn't find everything in the log file for some reason...maybe I am failing to know to use it.
Code:
#!/usr/bin/perl
use strict;

# what do I want to look for in the audit log.
my $pattern = $ARGV[0];

# Define the audit directory if the user doesn't provide one.
my $dir = '/var/log/audit';
$dir = $ARGV[1] if scalar(@ARGV) == 2;

# Strip any trailing slash
$dir =~ s/\/$//g;

# walk through the directory and save the list of files as an array.
# find is nice because it gives you full path + executable
my @files = `sudo find $dir`;
# strip new lines from the array.
chomp(@files);

# loop through each element in the array and do something.
for my $file (@files)
{
  # declare the empty array before use
  my @arr;

  # determine if we use zgrep or grep
  # zgrep is needed for gz and grep is for regular files
  if ( $file =~ /gz$/ )
  {
    @arr = `sudo zgrep $pattern $file`;
  }
  else
  {
    @arr = `sudo grep $pattern $file`;
  }

  # print the filename only if we found something in the file
  print "\nFile: $file\n" if ( scalar(@arr) > 0 );
 
  # for each element in the array translate epoch to human readable
  foreach(@arr)
  {
    chomp;
    # do a little regex for easy matching
    if ( /(.*msg=audit\()(\d+)(\.\d+:\d+.*)/ )
    {
      convert epoch to human readable
      my $td = scalar localtime $2;
      print "$1$td$3\n";
    }
  }
}


All times are GMT -5. The time now is 03:14 AM.