Description of problem: auditd doesn't timestamp entries in /var/log/audit/audit.log Version-Release number of selected component (if applicable): audit-1.6.2-4.fc8 How reproducible: always Steps to Reproduce: 1. service auditd start Actual results: reading /var/log/audit/audit.log shows many entries, but they are not time stamped. Expected results: each entry whould indicate the time it was written to the log as is done for /var/log/messages for instance. Additional info: When many selinux errors are being hunted down, it would be very useful to have timestamps of each entry to easily associate system actions (starting a daemon for example) with the actual error in audit.log.
The timestamps are already in the events - but encoded. The ausearch program is the audit log viewer. It will extract the timestamp from the events and display it for you. The '-i' option will do further interpretation. If you have done something recent and want to see the avcs, use: ausearch --start recent -m avc -i | less If you can see the timestamps though ausearch, I'll go ahead and close this bug report.
Thanks. I used ausearch as you recommended and I can now see the times.
Closing bug report as mentioned above. If you have any questions about audit feel free to contact myself or linux-audit mail list.