topic /var/log/audit/audit.log in Linux in Secure OS Software for Linux https://community.hpe.com/t5/secure-os-software-for-linux/var-log-audit-audit-log-in-linux/m-p/4503388#M542 Hi,<BR /><BR />We are using auditd for the file system and file changes monitoring and are able to see the log either in /audit.log file or using the ausearch command. We woulk like to use a script or tool which can help us to find specific parameters in the log. Please find below one example and report which we would like to generate automatically.<BR /><BR />type=PATH msg=audit(09/23/2009 03:58:50.385:263) : item=1 name=/u01/modprobe.conf inode=49156 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00<BR />type=PATH msg=audit(09/23/2009 03:58:50.385:263) : item=0 name=/u01/ inode=2 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00<BR />type=CWD msg=audit(09/23/2009 03:58:50.385:263) : cwd=/etc<BR />type=SYSCALL msg=audit(09/23/2009 03:58:50.385:263) : arch=x86_64 syscall=open success=yes exit=4 a0=14a9ada0 a1=41 a2=81a4 a3=0 items=2 ppid=7524 pid=8533 a<BR />uid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=21 comm=cp exe=/bin/cp key=u0dir<BR /><BR />Manual analysis:-<BR />Audit log time : 09/23/2009 03:58:50.385:263<BR />User: root<BR />Group:root<BR />File Name: modprobe.conf<BR />PATH:/u01<BR />CWD:/etc<BR />Arch: x86_64<BR />Success: Yes<BR />Command: cp<BR />Command Path:/bin/cp<BR />Details: Copied file from /etc to /u01<BR /><BR />Thanks<BR />Gaby Fri, 25 Sep 2009 10:14:22 GMT Gaby1110 2009-09-25T10:14:22Z /var/log/audit/audit.log in Linux https://community.hpe.com/t5/secure-os-software-for-linux/var-log-audit-audit-log-in-linux/m-p/4503388#M542 Hi,<BR /><BR />We are using auditd for the file system and file changes monitoring and are able to see the log either in /audit.log file or using the ausearch command. We woulk like to use a script or tool which can help us to find specific parameters in the log. Please find below one example and report which we would like to generate automatically.<BR /><BR />type=PATH msg=audit(09/23/2009 03:58:50.385:263) : item=1 name=/u01/modprobe.conf inode=49156 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00<BR />type=PATH msg=audit(09/23/2009 03:58:50.385:263) : item=0 name=/u01/ inode=2 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00<BR />type=CWD msg=audit(09/23/2009 03:58:50.385:263) : cwd=/etc<BR />type=SYSCALL msg=audit(09/23/2009 03:58:50.385:263) : arch=x86_64 syscall=open success=yes exit=4 a0=14a9ada0 a1=41 a2=81a4 a3=0 items=2 ppid=7524 pid=8533 a<BR />uid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=21 comm=cp exe=/bin/cp key=u0dir<BR /><BR />Manual analysis:-<BR />Audit log time : 09/23/2009 03:58:50.385:263<BR />User: root<BR />Group:root<BR />File Name: modprobe.conf<BR />PATH:/u01<BR />CWD:/etc<BR />Arch: x86_64<BR />Success: Yes<BR />Command: cp<BR />Command Path:/bin/cp<BR />Details: Copied file from /etc to /u01<BR /><BR />Thanks<BR />Gaby Fri, 25 Sep 2009 10:14:22 GMT https://community.hpe.com/t5/secure-os-software-for-linux/var-log-audit-audit-log-in-linux/m-p/4503388#M542 Gaby1110 2009-09-25T10:14:22Z Re: /var/log/audit/audit.log in Linux https://community.hpe.com/t5/secure-os-software-for-linux/var-log-audit-audit-log-in-linux/m-p/4503389#M543 Plase see this link, it may help:<BR /><BR /><A href="http://people.redhat.com/sgrubb/audit/visualize/index.html" target="_blank">http://people.redhat.com/sgrubb/audit/visualize/index.html</A> Fri, 25 Sep 2009 14:14:26 GMT https://community.hpe.com/t5/secure-os-software-for-linux/var-log-audit-audit-log-in-linux/m-p/4503389#M543 Ivan Ferreira 2009-09-25T14:14:26Z