9:43 a.m.
Is there a way to view/change the Auditd log format so when I view the
logs they are more user friendly to read? I think the auditd.conf file
format is FORMAT=RAW, is this the setting and if so can I change it so
my logs are less complicated to read. The other log files (SYSTEM or
SECURITY) are user easy enough to read; its just the auditd.log files
are complicated.
Thank You
John D. McCarthy
Information Assurance Principal Engineer
General Dynamics AIS
5200 Springfield Pike Suite 200
Dayton, Ohio 45431-1289
Phone: 937-476-2619
Fax: 937-476-2542
10:40 a.m.
New subject: Viewing Auditd LOG format (RHEL 4 Workstation: 64bit Kernel 2.6.9-67)
McCarthy, John D. wrote:
Is there a way to view/change the Auditd log format so when I view the
logs they are more user friendly to read? I think the auditd.conf file
format is FORMAT=RAW, is this the setting and if so can I change it so
my logs are less complicated to read. The other log files (SYSTEM or
SECURITY) are user easy enough to read; its just the auditd.log files
are complicated.
The log_format option just lets you specify whether to log the records
or just send them to the audit dispatcher.
Have you tried using the ausearch or aureport commands to view the
logs? They provide a variety of display/summary options. I know
ausearch is in RHEL4 - not sure about aureport.
-- ljk
Thank You
John D. McCarthy
Information Assurance Principal Engineer
General Dynamics AIS
5200 Springfield Pike Suite 200
Dayton, Ohio 45431-1289
Phone: 937-476-2619
Fax: 937-476-2542
------------------------------------------------------------------------
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
10:43 a.m.
On Tuesday 27 May 2008 10:43:05 McCarthy, John D. wrote:
Is there a way to view/change the Auditd log format so when I view
the
logs they are more user friendly to read?
Not really. The format option is really to describe any kind of change to the
data that the audit daemon might make. raw is the only supported option. But
others might in the future be binary or compressed.
I think the auditd.conf file format is FORMAT=RAW, is this the
setting and
if so can I change it so my logs are less complicated to read.
The design of the audit system is to grab the subject and its credentials and
the object and all its permission or security related attributes and send
that out as one event. Different hooks in the kernel create a record of what
they see as the event occurs. So, it has this kind of fragmented view of
subrecords. For example, syscall entry has no idea what the file permissions
or inode is of the resolved file. The hook in the file system has no idea
what the syscall was. So each part of the kernel contributes its own
knowledge about the current event.
The idea is just to dump this to disk as fast as possible and rely on data
reduction tools to make sense of it. The first program written was ausearch.
It has the ability to group the records into an event, scan for particular
events, and to interpret numbers to human readable form.
But this doesn't give you snapshot or summary information. aureport was the
second tool developed to try to boil down this information into something
more readable. (Does this one work for you?)
Writing that tool made me realize that we really need a standard parser so
that anyone can write tools around the audit data. That work took a long time
to get right and I think we finally have a full library that can be used to
write the next generation of tools.
A new program, audit_viewer, was recently released based on the new parser. I
see it as the beginning of new tools that people can write to make the audit
data more user friendly. So far, no one has really stated what they really
want the audit data to look like. So, its the way it is due to no input from
people that use it and due to not having had the tools to effectively act
upon any suggestions we might have gotten about formatting.
So, I think this project is about at the point we can write good tools. We
need suggestions about how to present the information.
-Steve
6052
days inactive
6052
days old
linux-audit@lists.linux-audit.osci.io
2 comments
3 participants
participants (3)
-
Linda Knippers -
McCarthy, John D. -
Steve Grubb