audit_log - File /var/log/audit/audit.log

class insights.parsers.audit_log.AuditLog(context)[source]

Bases: LogFileOutput

Class for parsing /var/log/audit/audit.log file.

Sample log lines:

type=CRYPTO_KEY_USER msg=audit(1506046832.641:53584): pid=16865 uid=0 auid=0 ses=7247 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=16865 suid=0 rport=59296 laddr=192.0.2.1 lport=22  exe="/usr/sbin/sshd" hostname=? addr=192.0.2.3 terminal=? res=success'
type=LOGIN msg=audit(1506047401.407:53591): pid=482 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=993 old-ses=4294967295 ses=7389 res=1
type=AVC msg=audit(1506487181.009:32794): avc:  denied  { create } for  pid=27960 comm="mongod" scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=unix_dgram_socket

Examples

>>> log = shared[AuditLog]
>>> log.get('type=AVC')
[{
    'is_valid': True,
    'timestamp': '1506487181.009',
    'unparsed': 'avc:  denied  { create } for',
    'msg_ID': '32794',
    'pid': '27960',
    'raw_message': 'type=AVC msg=audit(1506487181.009:32794): avc:  denied  { create } for  pid=27960 comm="mongod" scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=unix_dgram_socket',
    'comm': 'mongod',
    'scontext': 'system_u:system_r:mongod_t:s0',
    'tclass': 'unix_dgram_socket',
    'type': 'AVC',
    'tcontext': 'system_u:system_r:mongod_t:s0'
}]
>>> assert len(list(log.get_after(timestamp=date.fromtimestamp(1506047401.407)))) == 3
get_after(timestamp, s=None)[source]

Find all the (available) logs that are after the given time stamp. Override this function in class LogFileOutput.

Parameters:
  • timestamp (datetime.datetime) -- lines before this time are ignored.

  • s (str or list) -- one or more strings to search for. If not supplied, all available lines are searched.

Yields:

(dict) -- the parsed data of lines with timestamps after this date in the same format they were supplied.