[systemd-devel] parsing audit messages
zbyszek at in.waw.pl
Thu Mar 26 06:56:56 PDT 2015
On Thu, Mar 26, 2015 at 09:42:45AM +0100, Lennart Poettering wrote:
> On Sun, 15.03.15 03:51, Zbigniew Jędrzejewski-Szmek (zbyszek at in.waw.pl) wrote:
> > On Sun, Mar 15, 2015 at 03:49:07AM +0100, Zbigniew Jędrzejewski-Szmek wrote:
> > > Hi,
> > >
> > > I was looking at some debug logs, and the audit messages are
> > > semi-useless in their current undecoded form:
> > >
> > > mar 14 22:24:02 fedora22 audit: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-udev-trigger comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
> > > mar 14 22:24:05 fedora22 audit: <audit-1327> proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D0069707461626C655F7365637572697479
> > >
> > > You added code to parse this, and I think we should make use of it and
> > > put msg= field as MESSAGE=, and maybe store the original message as
> > > _AUDIT= or something. If there's no msg field, like with proctitle,
> > > print all fields that are in the message, but using our cescape, and
> > > not this hexadecimal form which is unreadable for humans.
> > I think we should also translate type= to names...
> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Audit_Record_Types.html
> Well, we don't translate MESSAGE_ID fields to strings either...
Here the mapping is stable, and maintained in one place... I think it's more
like dns TYPE field, completely reversible, then MESSAGE_IDs.
I see your point about the format being too messy to parse
reliably. OTOH, currently, what we log is much harder to use than the
standard audit logs. Dunno.
More information about the systemd-devel