audit_log - File /var/log/audit/audit.log
- class insights.parsers.audit_log.AuditLog(context)[source]
Bases:
LogFileOutput
Class for parsing
/var/log/audit/audit.log
file.Sample log lines:
type=CRYPTO_KEY_USER msg=audit(1506046832.641:53584): pid=16865 uid=0 auid=0 ses=7247 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=16865 suid=0 rport=59296 laddr=192.0.2.1 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.0.2.3 terminal=? res=success' type=LOGIN msg=audit(1506047401.407:53591): pid=482 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=993 old-ses=4294967295 ses=7389 res=1 type=AVC msg=audit(1506487181.009:32794): avc: denied { create } for pid=27960 comm="mongod" scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=unix_dgram_socket
Examples
>>> log = shared[AuditLog] >>> log.get('type=AVC') [{ 'is_valid': True, 'timestamp': '1506487181.009', 'unparsed': 'avc: denied { create } for', 'msg_ID': '32794', 'pid': '27960', 'raw_message': 'type=AVC msg=audit(1506487181.009:32794): avc: denied { create } for pid=27960 comm="mongod" scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=unix_dgram_socket', 'comm': 'mongod', 'scontext': 'system_u:system_r:mongod_t:s0', 'tclass': 'unix_dgram_socket', 'type': 'AVC', 'tcontext': 'system_u:system_r:mongod_t:s0' }] >>> assert len(list(log.get_after(timestamp=date.fromtimestamp(1506047401.407)))) == 3
- get_after(timestamp, s=None)[source]
Find all the (available) logs that are after the given time stamp. Override this function in class LogFileOutput.
- Parameters:
timestamp (datetime.datetime) -- lines before this time are ignored.
s (str or list) -- one or more strings to search for. If not supplied, all available lines are searched.
- Yields:
(dict) -- the parsed data of lines with timestamps after this date in the same format they were supplied.