[systemd-devel] parsing audit messages

Zbigniew Jędrzejewski-Szmek zbyszek at in.waw.pl
Mon Mar 16 10:37:44 PDT 2015

On Mon, Mar 16, 2015 at 06:33:39PM +0100, David Herrmann wrote:
> Hi
> On Sun, Mar 15, 2015 at 3:49 AM, Zbigniew Jędrzejewski-Szmek
> <zbyszek at in.waw.pl> wrote:
> > Hi,
> >
> > I was looking at some debug logs, and the audit messages are
> > semi-useless in their current undecoded form:
> >
> > mar 14 22:24:02 fedora22 audit[1]: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-udev-trigger comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
> > mar 14 22:24:05 fedora22 audit: <audit-1327> proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D0069707461626C655F7365637572697479
> >
> > You added code to parse this, and I think we should make use of it and
> > put msg= field as MESSAGE=, and maybe store the original message as
> > _AUDIT= or something. If there's no msg field, like with proctitle,
> > print all fields that are in the message, but using our cescape, and
> > not this hexadecimal form which is unreadable for humans.
> Audit messages cannot be parsed reliably. They don't do escaping and
> it's really a big mess. I'm not saying we shouldn't try it, but just
> as a heads-up, this might cause some troubles.
Lennart already implemented parsing. I'm sure it's not perfect, but it doesn't
really have to be. If we can parse the most common messages than it would already
be a big improvement.


More information about the systemd-devel mailing list