[systemd-devel] parsing audit messages

Lennart Poettering lennart at poettering.net
Thu Mar 26 01:42:45 PDT 2015


On Sun, 15.03.15 03:51, Zbigniew Jędrzejewski-Szmek (zbyszek at in.waw.pl) wrote:

> On Sun, Mar 15, 2015 at 03:49:07AM +0100, Zbigniew Jędrzejewski-Szmek wrote:
> > Hi,
> > 
> > I was looking at some debug logs, and the audit messages are
> > semi-useless in their current undecoded form:
> > 
> > mar 14 22:24:02 fedora22 audit[1]: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-udev-trigger comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
> > mar 14 22:24:05 fedora22 audit: <audit-1327> proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D0069707461626C655F7365637572697479
> > 
> > You added code to parse this, and I think we should make use of it and
> > put msg= field as MESSAGE=, and maybe store the original message as
> > _AUDIT= or something. If there's no msg field, like with proctitle,
> > print all fields that are in the message, but using our cescape, and
> > not this hexadecimal form which is unreadable for humans.
> 
> I think we should also translate type= to names...
> 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Audit_Record_Types.html

Well, we don't translate MESSAGE_ID fields to strings either...

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list