How can I read the audit time stamp? msg=audit(1213186256.105:20663)
How can I read the audit time stamp? msg=audit(1213186256.105:20663)
|
The log it came from may make a difference. Audit log for what?
Assuming the stuff before the dot is the epoch (seconds since 1970) then you can run this little script on it: epoch_converter.pl Code:
#!/usr/sbin/perl Wed Jun 11 08:10:56 2008 So if that is epoch then the message occurred today at 8:10:56 (AM). The 20663 might be a PID. The 105 may be an internal log sequence number. Of course all of those guesses might be wrong - it depends a lot on what application created the log entry. Many programs do use epoch for log entries. |
Quote:
BTW I posted an example of how to de-obfuscate audit.log here: http://www.linuxquestions.org/questi...68#post3166168. |
I know this is a really old post but it got me pointed in the right direction.
Here is a simple Perl script to do it nicely. Code:
while(<DATA>) Code:
sudo cat /var/log/audit/audit.log | perl -ne 'chomp; if ( /(.*msg=audit\()(\d+)(\.\d+:\d+.*)/ ) { $td = scalar localtime $2; print "$1$td$3\n"; }' Note: I know there is ausearch but it doesn't find everything in the log file for some reason...maybe I am failing to know to use it. Code:
#!/usr/bin/perl |
All times are GMT -5. The time now is 03:14 AM. |