Discussion:
Audit log decode
(too old to reply)
khalid fahad
2018-09-11 12:14:05 UTC
Permalink
Hi,
I need help to decode the following records in audit.log. Thanks
type=PROCTITLE msg=audit(100000000.000:000): proctitle=726D002F7661722F6C6F672F736563757265
type=PATH msg=audit(100000000.000:000): item=1 name="/var/log/secure" inode=34679270 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=DELETE
type=PATH msg=audit(100000000.000:000): item=0 name="/var/log/" inode=33586091 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=PARENT
type=CWD msg=audit(100000000.000:000): cwd="/home/adminuser"
type=SYSCALL msg=audit(100000000.000:000): arch=c000003e syscall=263 success=no exit=-13 a0=ffffffffffffff9c a1=b830c0 a2=0 a3=7ffc9bd9d600 items=2 ppid=3493 pid=35055 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=1 comm="rm" exe="/usr/bin/rm" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="secure_log"
Osama Elnaggar
2018-09-11 12:19:51 UTC
Permalink
Just save it to a file and use ausearch -i to do the interpolation for
you. For example:

ausearch -if /tmp/testentry -i

where /tmp/testentry contains the below entry

Run it on the same system it was generated on so the UID and other lookups
are accurate
--
Osama Elnaggar

On September 11, 2018 at 10:14:27 PM, khalid fahad (***@gmail.com)
wrote:

Hi,
I need help to decode the following records in audit.log. Thanks

type=PROCTITLE msg=audit(100000000.000:000):
proctitle=726D002F7661722F6C6F672F736563757265

type=PATH msg=audit(100000000.000:000): item=1 name="/var/log/secure"
inode=34679270 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:var_log_t:s0 objtype=DELETE

type=PATH msg=audit(100000000.000:000): item=0 name="/var/log/"
inode=33586091 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:var_log_t:s0 objtype=PARENT

type=CWD msg=audit(100000000.000:000): cwd="/home/adminuser"

type=SYSCALL msg=audit(100000000.000:000): arch=c000003e syscall=263
success=no exit=-13 a0=ffffffffffffff9c a1=b830c0 a2=0 a3=7ffc9bd9d600
items=2 ppid=3493 pid=35055 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=1 comm="rm"
exe="/usr/bin/rm"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="secure_log"
--
Linux-audit mailing list
Linux-***@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Steve Grubb
2018-09-11 12:21:44 UTC
Permalink
Post by khalid fahad
Hi,
I need help to decode the following records in audit.log. Thanks
proctitle=726D002F7661722F6C6F672F736563757265 type=PATH
msg=audit(100000000.000:000): item=1 name="/var/log/secure" inode=34679270
dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:var_log_t:s0 objtype=DELETE type=PATH
msg=audit(100000000.000:000): item=0 name="/var/log/" inode=33586091
dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:var_log_t:s0 objtype=PARENT type=CWD
msg=audit(100000000.000:000): cwd="/home/adminuser"
type=SYSCALL msg=audit(100000000.000:000): arch=c000003e syscall=263
success=no exit=-13 a0=ffffffffffffff9c a1=b830c0 a2=0 a3=7ffc9bd9d600
items=2 ppid=3493 pid=35055 auid=1000 uid=1000 gid=1000 euid=1000
suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=1
comm="rm" exe="/usr/bin/rm"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="secure_log"
The ausearch program is able to decode this and is meant to display the audit
loags. If you have that in a file named log, you can just do something like

ausearch -if log -i

and that should decode your event.

-Steve
khalid fahad
2018-09-11 14:05:11 UTC
Permalink
It wasn’t work with me. I have an issue.

Sent from my iPhone
Post by Steve Grubb
Post by khalid fahad
Hi,
I need help to decode the following records in audit.log. Thanks
proctitle=726D002F7661722F6C6F672F736563757265 type=PATH
msg=audit(100000000.000:000): item=1 name="/var/log/secure" inode=34679270
dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:var_log_t:s0 objtype=DELETE type=PATH
msg=audit(100000000.000:000): item=0 name="/var/log/" inode=33586091
dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:var_log_t:s0 objtype=PARENT type=CWD
msg=audit(100000000.000:000): cwd="/home/adminuser"
type=SYSCALL msg=audit(100000000.000:000): arch=c000003e syscall=263
success=no exit=-13 a0=ffffffffffffff9c a1=b830c0 a2=0 a3=7ffc9bd9d600
items=2 ppid=3493 pid=35055 auid=1000 uid=1000 gid=1000 euid=1000
suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=1
comm="rm" exe="/usr/bin/rm"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="secure_log"
The ausearch program is able to decode this and is meant to display the audit
loags. If you have that in a file named log, you can just do something like
ausearch -if log -i
and that should decode your event.
-Steve
Loading...