Red Hat Bugzilla – Bug 155885
RFE: log human-readable timestamps in audit logs?
Last modified: 2007-11-30 17:11:04 EST
Would it be possible to log human-readable timestamps in the audit logs rather
than the time_t values? audit(1114428905.134:0). A couple of times I've had to
do time_t->date conversions to see what's going on with SELinux policy errors!
There is a utility ausearch that fulfills this. For example, if you know the
event you are looking for is between 8:30 & 9:00, the syntax is this:
ausearch -ts 08:30:00 -te 09:00:00
If you want all records to now. Check and see what time it is. For example 8:50
ausearch -te 08:50:00
time->Sun Apr 24 13:59:15 2005
type=KERNEL msg=audit(1114365555.724:10300557): syscall=39 arch=40000003
success=yes exit=0 a0=bffed9d0 a1=b6cff4 a2=804847c a3=0 items=1 pid=16601
loginuid=4325 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
type=KERNEL msg=audit(1114365555.724:10300557): item=0 name="/tmp/config3"
inode=2 dev=03:08 mode=041777 uid=0 gid=0 rdev=00:00
ausearch is slated to have more improvements that makes the whole record easy to
That seems fine, though actually formatting the date is what's important to me.
though if those "-ts" and "-te" options are not proper GNU getopt_long-style
--long-options then please make them so to be consistent with 95% of the rest of
i.e. much preferable syntax:
ausearch --since 08:00 --earlier 09:00
== ausearch -s 08:00 -e 09:00
>That seems fine, though actually formatting the date is what's important to me.
What is missing? What do you want to see?
>though if those "-ts" and "-te" options are not proper GNU getopt_long-style
>--long-options then please make them so to be consistent with 95% of the rest
>of the distro!
This is not likely to happen in the near future. I have real bugs and
functionality that's simply missing that has to be done real soon. I also did
not want the commandline option mess that auditctl became (before I took it over).
Sorry I missed the "time->" part, never mind me :)
I added a -i commandline option for ausearch. This interprets all numeric
information into human readable text.
type=USER_AUTH msg=audit(06/02/05 16:37:06.836:2403073) : user pid=2795
uid=sgrubb auid=sgrubb msg='PAM authentication: user=root exe="/bin/su"
(hostname=?, addr=?, terminal=pts/1 result=Success)'