Friday, June 22, 2007

Display Binary Audit Log Information in ASCII Format

The files in the /var/audit directory are useful for inspection purposes; however, they are in a binary format. I use the praudit command to translate them into a human readable format. Here's an example of the praudit's output, which are logged telnet/local connections.

To terminate the current audit file.
#cd /var/audit
#audit -n
#praudit 20070621120225.20070621120111.esofthub | more
file,Thu 21 Jun 2007 09:02:25 PM KST, + 843354 msec,
header,44,2,system booted,na,Thu 21 Jun 2007 09:02:09 PM KST, + 449998911 msec
text,booting kernel
header,81,2,login - local,,Thu 21 Jun 2007 09:02:41 PM KST, + 300000097 msec
subject,root,root,other,root,other,314,314,0 0 esofthub
text,successful login
return,success,0
header,81,2,login - telnet,,Fri 22 Jun 2007 08:00:38 PM KST, + 889999653 msec
subject,root,root,other,root,other,606,606,746 65559 192.168.X.XXX
text,successful login
return,success,0
header,81,2,login - telnet,,Fri 22 Jun 2007 08:03:24 PM KST, + 630007314 msec
subject,root,root,other,root,other,619,619,749 196631 192.168.X.XXX
text,successful login

or

#cd /var/audit
#auditreduce | praudit | more

No comments: