It wasn’t work with me. I have an issue. Sent from my iPhone
> On 11 Sep 2018, at 9:51 pm, Steve Grubb <sgr...@redhat.com> wrote: > >> On Tuesday, September 11, 2018 8:14:05 AM EDT khalid fahad wrote: >> Hi, >> I need help to decode the following records in audit.log. Thanks >> type=PROCTITLE msg=audit(100000000.000:000): >> proctitle=726D002F7661722F6C6F672F736563757265 type=PATH >> msg=audit(100000000.000:000): item=1 name="/var/log/secure" inode=34679270 >> dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 >> obj=system_u:object_r:var_log_t:s0 objtype=DELETE type=PATH >> msg=audit(100000000.000:000): item=0 name="/var/log/" inode=33586091 >> dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 >> obj=system_u:object_r:var_log_t:s0 objtype=PARENT type=CWD >> msg=audit(100000000.000:000): cwd="/home/adminuser" >> type=SYSCALL msg=audit(100000000.000:000): arch=c000003e syscall=263 >> success=no exit=-13 a0=ffffffffffffff9c a1=b830c0 a2=0 a3=7ffc9bd9d600 >> items=2 ppid=3493 pid=35055 auid=1000 uid=1000 gid=1000 euid=1000 >> suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=1 >> comm="rm" exe="/usr/bin/rm" >> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> key="secure_log" > > The ausearch program is able to decode this and is meant to display the audit > loags. If you have that in a file named log, you can just do something like > > ausearch -if log -i > > and that should decode your event. > > -Steve > > -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
