Find the answer to your Linux question:
Results 1 to 4 of 4
Hi All, I configured audit logs in my server and its working fine with its default funcation. But the logs generated are huge, so i wan to know is there ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2010
    Posts
    9

    Exclamation Linux Audit


    Hi All,

    I configured audit logs in my server and its working fine with its default funcation.

    But the logs generated are huge, so i wan to know is there any way to reduce the audit log output.

    I want to get the output in below format.

    Date, time, username, command exeucted, path,hostname and ip.

    Above are fields which i required to get as output.

    Please share any link for the same.

    Please help me.

  2. #2
    Just Joined!
    Join Date
    Aug 2009
    Posts
    83
    Quote Originally Posted by ash_ok555 View Post
    the logs generated are huge, so i wan to know is there any way to reduce the audit log output.
    Reducing the size of the current logfile may mean configuring Auditd to rotate it more often but how much gets logged also depends on what rules Auditd runs with. (I don't remember what the default ruleset includes.) If less important rules get triggered more often than you require you could think about commenting them out. However logging means knowing so there's a trade-off or risk.


    Quote Originally Posted by ash_ok555 View Post
    I want to get the output in below format.
    Date, time, username, command exeucted, path,hostname and ip.
    Tresys provides the "setools" package which includes command-line and graphical tools for reporting. Best look at those before succumbing to homebrewn ones IMHO. If you really want to whip up your own then some shell and awk-fu you could get far as long as you resolve date and time from the 2nd field (epoch), user from the UID (15th) field, command executed is the 26th field and so on.

  3. #3
    Just Joined!
    Join Date
    Jan 2010
    Posts
    9
    Is there any way to remove the SYSCALL from the below log.For every attempt i am getting the output in the below format in audit.log file and this is increasing the file space.

    Please tell me, is there any possiblity to remove the SYSCALL information before logging to audit.log file.

    type=SYSCALL msg=audit(1263075547.799:15): arch=40000003 syscall=5 success=yes exit=3 a0=bfd44c1d a1=8000 a2=0 a3=8000 items=1 ppid=2581 pid=2712 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="cat" exe="/bin/cat" key=(null)
    type=CWD msg=audit(1263075547.799:15): cwd="/root"
    type=PATH msg=audit(1263075547.799:15): item=0 name="/var/log/messages" inode=768041 dev=03:02 mode=0100600 ouid=0 ogid=0 rdev=00:00

    If possible please share the steps to implement linux audit for files and folders in production setup.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Aug 2009
    Posts
    83
    Quote Originally Posted by ash_ok555 View Post
    Is there any way to remove the SYSCALL from the below log. For every attempt i am getting the output in the below format in audit.log file and this is increasing the file space.
    On installing the Auditd package no rules are provided in /etc/audit/audit.rules. You must load rules by adding them to /etc/audit/audit.rules, writing them on the command-line with 'auditctl' or loading one or more of the /usr/share/doc/audit-*/-.rules rulesets. There is no indication of what rules you have loaded.
    If you have rules loaded that log syscalls then you can review them running 'auditctl -l|grep syscall=' or by running 'grep '^-.*-S' /etc/audit/audit.rules'.
    Deleting rules temporarily can be done with 'auditctl' or permanently by editing /etc/audit/audit.rules. Your logged syscall in the example below is number 5 ('awk '/^#define __NR_/ {print $3, $2}' /lib/modules/$(uname -r)/build/include/asm-i386/unistd.h | grep -v '+' | sed -e 's|__NR_||g'') "open", so 'egrep '^-.*S.(5|open)' /etc/audit/audit.rules' should find the rule to delete.
    Realize logging means knowing and that trying to reduce logging for the wrong reasons may bite you good one day.


    Quote Originally Posted by ash_ok555 View Post
    please share the steps to implement linux audit for files and folders in production setup.
    The ruleset to use depends on the policies the machine is subject to, its risk profile and purpose. Knowing none of these, as no information was provided by you, it would be foolish to suggest a ruleset. Have a look at the /usr/share/doc/audit-*/-.rules rulesets.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •