Re: Audit log decode

Just save it to a file and use ausearch -i to do the interpolation for you. For example: ausearch -if /tmp/testentry -i where /tmp/testentry contains the below entry Run it on the same system it was generated on so the UID and other lookups are accurate -- Osama Elnaggar On September 11, 2018 at 10:14:27 PM, khalid fahad (kfgm2001(a)gmail.com) wrote: Hi, I need help to decode the following records in audit.log. Thanks type=PROCTITLE msg=audit(100000000.000:000): proctitle=726D002F7661722F6C6F672F736563757265 type=PATH msg=audit(100000000.000:000): item=1 name="/var/log/secure" inode=34679270 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=DELETE type=PATH msg=audit(100000000.000:000): item=0 name="/var/log/" inode=33586091 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=PARENT type=CWD msg=audit(100000000.000:000): cwd="/home/adminuser" type=SYSCALL msg=audit(100000000.000:000): arch=c000003e syscall=263 success=no exit=-13 a0=ffffffffffffff9c a1=b830c0 a2=0 a3=7ffc9bd9d600 items=2 ppid=3493 pid=35055 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=1 comm="rm" exe="/usr/bin/rm" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="secure_log" -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit