Secure OS Software for Linux
cancel
Showing results for 
Search instead for 
Did you mean: 

/var/log/audit/audit.log in Linux

Gaby1110
Frequent Advisor

/var/log/audit/audit.log in Linux

Hi,

We are using auditd for the file system and file changes monitoring and are able to see the log either in /audit.log file or using the ausearch command. We woulk like to use a script or tool which can help us to find specific parameters in the log. Please find below one example and report which we would like to generate automatically.

type=PATH msg=audit(09/23/2009 03:58:50.385:263) : item=1 name=/u01/modprobe.conf inode=49156 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00
type=PATH msg=audit(09/23/2009 03:58:50.385:263) : item=0 name=/u01/ inode=2 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(09/23/2009 03:58:50.385:263) : cwd=/etc
type=SYSCALL msg=audit(09/23/2009 03:58:50.385:263) : arch=x86_64 syscall=open success=yes exit=4 a0=14a9ada0 a1=41 a2=81a4 a3=0 items=2 ppid=7524 pid=8533 a
uid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=21 comm=cp exe=/bin/cp key=u0dir

Manual analysis:-
Audit log time : 09/23/2009 03:58:50.385:263
User: root
Group:root
File Name: modprobe.conf
PATH:/u01
CWD:/etc
Arch: x86_64
Success: Yes
Command: cp
Command Path:/bin/cp
Details: Copied file from /etc to /u01

Thanks
Gaby
1 REPLY
Ivan Ferreira
Honored Contributor

Re: /var/log/audit/audit.log in Linux

Plase see this link, it may help:

http://people.redhat.com/sgrubb/audit/visualize/index.html
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?