Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 155885 - RFE: log human-readable timestamps in audit logs?
Summary: RFE: log human-readable timestamps in audit logs?
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: audit
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Steve Grubb
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-25 11:41 UTC by Joe Orton
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 0.9.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-06-02 20:34:01 UTC


Attachments (Terms of Use)

Description Joe Orton 2005-04-25 11:41:31 UTC
Would it be possible to log human-readable timestamps in the audit logs rather
than the time_t values? audit(1114428905.134:0). A couple of times I've had to
do time_t->date conversions to see what's going on with SELinux policy errors!

Comment 1 Steve Grubb 2005-04-25 12:49:41 UTC
There is a utility ausearch that fulfills this. For example, if you know the
event you are looking for is between 8:30 & 9:00, the syntax is this:

ausearch -ts 08:30:00 -te 09:00:00

If you want all records to now. Check and see what time it is. For example 8:50

ausearch -te 08:50:00

Sample record:

----
time->Sun Apr 24 13:59:15 2005
type=KERNEL msg=audit(1114365555.724:10300557): syscall=39 arch=40000003
success=yes exit=0 a0=bffed9d0 a1=b6cff4 a2=804847c a3=0 items=1 pid=16601
loginuid=4325 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
type=KERNEL msg=audit(1114365555.724:10300557): item=0 name="/tmp/config3"
inode=2 dev=03:08 mode=041777 uid=0 gid=0 rdev=00:00


ausearch is slated to have more improvements that makes the whole record easy to
understand.

Comment 2 Joe Orton 2005-04-25 13:11:10 UTC
That seems fine, though actually formatting the date is what's important to me.

though if those "-ts" and "-te" options are not proper GNU getopt_long-style
--long-options then please make them so to be consistent with 95% of the rest of
the distro!

i.e. much preferable syntax:

ausearch --since 08:00 --earlier 09:00
== ausearch -s 08:00 -e 09:00



Comment 3 Steve Grubb 2005-04-25 13:30:38 UTC
>That seems fine, though actually formatting the date is what's important to me.

What is missing? What do you want to see?

>though if those "-ts" and "-te" options are not proper GNU getopt_long-style
>--long-options then please make them so to be consistent with 95% of the rest 
>of the distro!

This is not likely to happen in the near future. I have real bugs and
functionality that's simply missing that has to be done real soon. I also did
not want the commandline option mess that auditctl became (before I took it over).

Comment 4 Joe Orton 2005-04-25 13:32:10 UTC
Sorry I missed the "time->" part, never mind me :)

Comment 5 Steve Grubb 2005-06-02 20:34:01 UTC
I added a -i commandline option for ausearch. This interprets all numeric
information into human readable text.

type=USER_AUTH msg=audit(06/02/05 16:37:06.836:2403073) : user pid=2795
uid=sgrubb auid=sgrubb msg='PAM authentication: user=root exe="/bin/su"
(hostname=?, addr=?, terminal=pts/1 result=Success)'


Note You need to log in before you can comment on or make changes to this bug.