[systemd-devel] parsing audit messages

Zbigniew Jędrzejewski-Szmek zbyszek at in.waw.pl
Sat Mar 14 19:49:07 PDT 2015


I was looking at some debug logs, and the audit messages are
semi-useless in their current undecoded form:

mar 14 22:24:02 fedora22 audit[1]: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-udev-trigger comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
mar 14 22:24:05 fedora22 audit: <audit-1327> proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D0069707461626C655F7365637572697479

You added code to parse this, and I think we should make use of it and
put msg= field as MESSAGE=, and maybe store the original message as
_AUDIT= or something. If there's no msg field, like with proctitle,
print all fields that are in the message, but using our cescape, and
not this hexadecimal form which is unreadable for humans.



More information about the systemd-devel mailing list