Output of aureport in columns

Output of aureport in columns

[Michael Mather]

Hi,

I have managed to find an easy way to put the output of aureport into
neat columns. For example:

aureport -i -f | sed 's/=====/==== /g' | column -t

However, if I combine this with ausearch, as in:

ausearch -k ROOT |aureport -i -f | sed .....

then some lines come out properly and some have extra data that shifts
everything off. For example, here are two successive lines from the
output. The first has 9 fields and the second 15:

311. 12-07-12 16:21:03 /proc/self/loginuid open yes /usr/bin/sudo mm 597
312. 12-07-12 16:21:03 (null) inode=970 dev=08:01 mode=0100755 ouid=0
ogid=0 rdev=00:00 execve yes /sbin/aureport root 599

What is happening?

Thanks - Michael Mather
-----------------------

Re: Output of aureport in columns

[Steve Grubb]

On Thursday, July 12, 2012 04:26:25 PM Michael Mather wrote:
> Hi,
> 
> I have managed to find an easy way to put the output of aureport into
> neat columns. For example:
> 
> aureport -i -f | sed 's/=====/==== /g' | column -t
> 
> However, if I combine this with ausearch, as in:
> 
> ausearch -k ROOT |aureport -i -f | sed .....

Is this really the ausearch portion or did you omit some parameters for 
brevity?


> then some lines come out properly and some have extra data that shifts
> everything off. For example, here are two successive lines from the
> output. The first has 9 fields and the second 15:
> 
> 311. 12-07-12 16:21:03 /proc/self/loginuid open yes /usr/bin/sudo mm 597
> 312. 12-07-12 16:21:03 (null) inode=970 dev=08:01 mode=0100755 ouid=0
> ogid=0 rdev=00:00 execve yes /sbin/aureport root 599
> 
> What is happening?

Does it behave better if you add --raw to the ausearch portion?

-Steve

RE: Output of aureport in columns

[Patrick Synor]

Is it possible that the output for these tools is not directed to STDOUT completely?  In which case you might have better luck redirecting output with something like 2>&1?

Just a thought...

-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Steve Grubb
Sent: Friday, July 13, 2012 9:23 AM
To: linux-audit@redhat.com
Subject: Re: Output of aureport in columns

On Thursday, July 12, 2012 04:26:25 PM Michael Mather wrote:
> Hi,
>
> I have managed to find an easy way to put the output of aureport into
> neat columns. For example:
>
> aureport -i -f | sed 's/=====/==== /g' | column -t
>
> However, if I combine this with ausearch, as in:
>
> ausearch -k ROOT |aureport -i -f | sed .....

Is this really the ausearch portion or did you omit some parameters for brevity?


> then some lines come out properly and some have extra data that shifts
> everything off. For example, here are two successive lines from the
> output. The first has 9 fields and the second 15:
>
> 311. 12-07-12 16:21:03 /proc/self/loginuid open yes /usr/bin/sudo mm 597
> 312. 12-07-12 16:21:03 (null) inode=970 dev=08:01 mode=0100755 ouid=0
> ogid=0 rdev=00:00 execve yes /sbin/aureport root 599
>
> What is happening?

Does it behave better if you add --raw to the ausearch portion?

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
CONFIDENTIALITY NOTE: This message and any attachments are confidential, may contain information that is privileged and is intended only for the use of the addressee. If you are not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. This message is not meant to constitute an electronic signature or evidence intent to contract electronically.

Re: Output of aureport in columns

[Michael Mather]

Yes, Steve, adding --raw works beautifully. Thanks.

Now, where can I find a tutorial that might have taught me this?

And is there a way to search this list?

Michael Mather
--------------

On Fri, 2012-07-13 at 09:22 -0400, Steve Grubb wrote:
> On Thursday, July 12, 2012 04:26:25 PM Michael Mather wrote:
> > Hi,
> > 
> > I have managed to find an easy way to put the output of aureport into
> > neat columns. For example:
> > 
> > aureport -i -f | sed 's/=====/==== /g' | column -t
> > 
> > However, if I combine this with ausearch, as in:
> > 
> > ausearch -k ROOT |aureport -i -f | sed .....
> 
> Is this really the ausearch portion or did you omit some parameters for 
> brevity?
> 
> 
> > then some lines come out properly and some have extra data that shifts
> > everything off. For example, here are two successive lines from the
> > output. The first has 9 fields and the second 15:
> > 
> > 311. 12-07-12 16:21:03 /proc/self/loginuid open yes /usr/bin/sudo mm 597
> > 312. 12-07-12 16:21:03 (null) inode=970 dev=08:01 mode=0100755 ouid=0
> > ogid=0 rdev=00:00 execve yes /sbin/aureport root 599
> > 
> > What is happening?
> 
> Does it behave better if you add --raw to the ausearch portion?
> 
> -Steve

Re: Output of aureport in columns

[Steve Grubb]

On Friday, July 13, 2012 01:09:00 PM Michael Mather wrote:
> Yes, Steve, adding --raw works beautifully. Thanks.
> 
> Now, where can I find a tutorial that might have taught me this?

There is some discussion of this in the audit.rules man page under the section 
NOTES. There was also an article about using the audit system to debug the 
whole OS at once. The article gives some examples of stringing together 
searches and reports:

http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf


> And is there a way to search this list?

You can use Google and the site operator to restrict the results:

site:www.redhat.com ausearch raw
 
-Steve