Bug 155885 - RFE: log human-readable timestamps in audit logs?
RFE: log human-readable timestamps in audit logs?
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: audit (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Grubb
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-25 07:41 EDT by Joe Orton
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 0.9.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-02 16:34:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joe Orton 2005-04-25 07:41:31 EDT
Would it be possible to log human-readable timestamps in the audit logs rather
than the time_t values? audit(1114428905.134:0). A couple of times I've had to
do time_t->date conversions to see what's going on with SELinux policy errors!
Comment 1 Steve Grubb 2005-04-25 08:49:41 EDT
There is a utility ausearch that fulfills this. For example, if you know the
event you are looking for is between 8:30 & 9:00, the syntax is this:

ausearch -ts 08:30:00 -te 09:00:00

If you want all records to now. Check and see what time it is. For example 8:50

ausearch -te 08:50:00

Sample record:

----
time->Sun Apr 24 13:59:15 2005
type=KERNEL msg=audit(1114365555.724:10300557): syscall=39 arch=40000003
success=yes exit=0 a0=bffed9d0 a1=b6cff4 a2=804847c a3=0 items=1 pid=16601
loginuid=4325 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
type=KERNEL msg=audit(1114365555.724:10300557): item=0 name="/tmp/config3"
inode=2 dev=03:08 mode=041777 uid=0 gid=0 rdev=00:00


ausearch is slated to have more improvements that makes the whole record easy to
understand.
Comment 2 Joe Orton 2005-04-25 09:11:10 EDT
That seems fine, though actually formatting the date is what's important to me.

though if those "-ts" and "-te" options are not proper GNU getopt_long-style
--long-options then please make them so to be consistent with 95% of the rest of
the distro!

i.e. much preferable syntax:

ausearch --since 08:00 --earlier 09:00
== ausearch -s 08:00 -e 09:00

Comment 3 Steve Grubb 2005-04-25 09:30:38 EDT
>That seems fine, though actually formatting the date is what's important to me.

What is missing? What do you want to see?

>though if those "-ts" and "-te" options are not proper GNU getopt_long-style
>--long-options then please make them so to be consistent with 95% of the rest 
>of the distro!

This is not likely to happen in the near future. I have real bugs and
functionality that's simply missing that has to be done real soon. I also did
not want the commandline option mess that auditctl became (before I took it over).
Comment 4 Joe Orton 2005-04-25 09:32:10 EDT
Sorry I missed the "time->" part, never mind me :)
Comment 5 Steve Grubb 2005-06-02 16:34:01 EDT
I added a -i commandline option for ausearch. This interprets all numeric
information into human readable text.

type=USER_AUTH msg=audit(06/02/05 16:37:06.836:2403073) : user pid=2795
uid=sgrubb auid=sgrubb msg='PAM authentication: user=root exe="/bin/su"
(hostname=?, addr=?, terminal=pts/1 result=Success)'

Note You need to log in before you can comment on or make changes to this bug.