Bug 155885
Summary: | RFE: log human-readable timestamps in audit logs? | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Joe Orton <jorton> |
Component: | audit | Assignee: | Steve Grubb <sgrubb> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 0.9.2 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-06-02 20:34:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Joe Orton
2005-04-25 11:41:31 UTC
There is a utility ausearch that fulfills this. For example, if you know the event you are looking for is between 8:30 & 9:00, the syntax is this: ausearch -ts 08:30:00 -te 09:00:00 If you want all records to now. Check and see what time it is. For example 8:50 ausearch -te 08:50:00 Sample record: ---- time->Sun Apr 24 13:59:15 2005 type=KERNEL msg=audit(1114365555.724:10300557): syscall=39 arch=40000003 success=yes exit=0 a0=bffed9d0 a1=b6cff4 a2=804847c a3=0 items=1 pid=16601 loginuid=4325 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 type=KERNEL msg=audit(1114365555.724:10300557): item=0 name="/tmp/config3" inode=2 dev=03:08 mode=041777 uid=0 gid=0 rdev=00:00 ausearch is slated to have more improvements that makes the whole record easy to understand. That seems fine, though actually formatting the date is what's important to me. though if those "-ts" and "-te" options are not proper GNU getopt_long-style --long-options then please make them so to be consistent with 95% of the rest of the distro! i.e. much preferable syntax: ausearch --since 08:00 --earlier 09:00 == ausearch -s 08:00 -e 09:00 >That seems fine, though actually formatting the date is what's important to me. What is missing? What do you want to see? >though if those "-ts" and "-te" options are not proper GNU getopt_long-style >--long-options then please make them so to be consistent with 95% of the rest >of the distro! This is not likely to happen in the near future. I have real bugs and functionality that's simply missing that has to be done real soon. I also did not want the commandline option mess that auditctl became (before I took it over). Sorry I missed the "time->" part, never mind me :) I added a -i commandline option for ausearch. This interprets all numeric information into human readable text. type=USER_AUTH msg=audit(06/02/05 16:37:06.836:2403073) : user pid=2795 uid=sgrubb auid=sgrubb msg='PAM authentication: user=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/1 result=Success)' |