LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 06-11-2008, 07:14 AM   #1
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,429

Rep: Reputation: 55
How can I read the audit time stamp? msg=audit(1213186256.105:20663)


How can I read the audit time stamp? msg=audit(1213186256.105:20663)
 
Old 06-11-2008, 07:49 AM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,742
Blog Entries: 15

Rep: Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612
The log it came from may make a difference. Audit log for what?

Assuming the stuff before the dot is the epoch (seconds since 1970) then you can run this little script on it:

epoch_converter.pl
Code:
#!/usr/sbin/perl
print scalar localtime $ARGV[0];
print "\n"
Running epoch_converter.pl 1213186256 results in:
Wed Jun 11 08:10:56 2008
So if that is epoch then the message occurred today at 8:10:56 (AM).

The 20663 might be a PID.

The 105 may be an internal log sequence number.

Of course all of those guesses might be wrong - it depends a lot on what application created the log entry. Many programs do use epoch for log entries.
 
1 members found this post helpful.
Old 06-11-2008, 08:29 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,406
Blog Entries: 55

Rep: Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578
Quote:
Originally Posted by jlightner View Post
The log it came from may make a difference.
It's Linux kernel audit messages as in SELinux/Auditd.

BTW I posted an example of how to de-obfuscate audit.log here: http://www.linuxquestions.org/questi...68#post3166168.
 
Old 04-21-2011, 06:37 PM   #4
lavermil
LQ Newbie
 
Registered: Apr 2011
Posts: 1

Rep: Reputation: 0
I know this is a really old post but it got me pointed in the right direction.

Here is a simple Perl script to do it nicely.

Code:
while(<DATA>)
{
  chomp;
  if ( /(.*msg=audit\()(\d+)(\.\d+:\d+.*)/ )
  {
    $td = scalar localtime $2;
    print "$1$td$3\n";
  }
}

__DATA__
type=SYSCALL msg=audit(1302896047.473:1064090): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=b4316fb0 a2=1d73f0 a3=1c items=0 ppid=1 pid=9002 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="something" exe="/usr/local/sbin/something" subj=user_u:system_r:initrc_t:s0 key=(null)
type=SYSCALL msg=audit(1302896761.743:1064107): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=b42fbfb0 a2=6dd3f0 a3=1b items=0 ppid=1 pid=9090 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="something" exe="/usr/local/sbin/something" subj=user_u:system_r:initrc_t:s0 key=(null)
type=SYSCALL msg=audit(1303393962.726:1070068): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=b43bafb0 a2=f593f0 a3=1b items=0 ppid=1 pid=8035 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="something" exe="/usr/local/sbin/something" subj=user_u:system_r:initrc_t:s0 key=(null)
Usable code:
Code:
sudo cat /var/log/audit/audit.log | perl -ne 'chomp; if ( /(.*msg=audit\()(\d+)(\.\d+:\d+.*)/ ) { $td = scalar localtime $2; print "$1$td$3\n"; }'
If you want a script to check all of your audit logs try this.
Note: I know there is ausearch but it doesn't find everything in the log file for some reason...maybe I am failing to know to use it.
Code:
#!/usr/bin/perl
use strict;

# what do I want to look for in the audit log.
my $pattern = $ARGV[0];

# Define the audit directory if the user doesn't provide one.
my $dir = '/var/log/audit';
$dir = $ARGV[1] if scalar(@ARGV) == 2;

# Strip any trailing slash
$dir =~ s/\/$//g;

# walk through the directory and save the list of files as an array.
# find is nice because it gives you full path + executable
my @files = `sudo find $dir`;
# strip new lines from the array.
chomp(@files);

# loop through each element in the array and do something.
for my $file (@files)
{
  # declare the empty array before use
  my @arr;

  # determine if we use zgrep or grep
  # zgrep is needed for gz and grep is for regular files
  if ( $file =~ /gz$/ )
  { 
    @arr = `sudo zgrep $pattern $file`;
  }
  else
  {
    @arr = `sudo grep $pattern $file`;
  }

  # print the filename only if we found something in the file
  print "\nFile: $file\n" if ( scalar(@arr) > 0 );
  
  # for each element in the array translate epoch to human readable
  foreach(@arr)
  {
    chomp;
    # do a little regex for easy matching
    if ( /(.*msg=audit\()(\d+)(\.\d+:\d+.*)/ )
    {
      convert epoch to human readable
      my $td = scalar localtime $2;
      print "$1$td$3\n";
    }
  }
}

Last edited by lavermil; 04-21-2011 at 07:04 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
We need people to audit SUN equipment one time only. Anubis Solaris / OpenSolaris 3 07-02-2006 05:36 PM
audit - at the boot time? kizersouzay Fedora 1 08-20-2005 09:04 AM
Time stamp in Samba is 11 hours behind time stamp in Linux Linh Linux - General 3 09-04-2003 12:44 PM
Audit Pranesh Linux - Software 0 08-05-2003 09:13 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 04:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration