[systemd-devel] parsing audit messages
lennart at poettering.net
Thu Mar 26 01:42:45 PDT 2015
On Sun, 15.03.15 03:51, Zbigniew Jędrzejewski-Szmek (zbyszek at in.waw.pl) wrote:
> On Sun, Mar 15, 2015 at 03:49:07AM +0100, Zbigniew Jędrzejewski-Szmek wrote:
> > Hi,
> > I was looking at some debug logs, and the audit messages are
> > semi-useless in their current undecoded form:
> > mar 14 22:24:02 fedora22 audit: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-udev-trigger comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
> > mar 14 22:24:05 fedora22 audit: <audit-1327> proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D0069707461626C655F7365637572697479
> > You added code to parse this, and I think we should make use of it and
> > put msg= field as MESSAGE=, and maybe store the original message as
> > _AUDIT= or something. If there's no msg field, like with proctitle,
> > print all fields that are in the message, but using our cescape, and
> > not this hexadecimal form which is unreadable for humans.
> I think we should also translate type= to names...
Well, we don't translate MESSAGE_ID fields to strings either...
Lennart Poettering, Red Hat
More information about the systemd-devel