Neither the data trail in /var/log/audit/audit.log
nor the different report types generated by aureport, described in
Section 29.5.2, “Generating Custom Audit Reports”, provide an intuitive reading
experience to the user. The aureport output is formatted in columns and
thus easily available to any sed, perl, or awk scripts that users might
connect to the audit framework to visualize the audit data.
The visualization scripts (see Section 30.6, “Configuring Log Visualization” are one example of how to use standard Linux tools available with openSUSE or any other Linux distribution to create easy-to-read audit output. The following examples help you understand how the plain audit reports can be transformed into human readable graphics.
The first example illustrates the relationship of programs and system calls. To get to this kind of data, you need to determine the appropriate aureport command that delivers the source data from which to generate the final graphic:
aureport -s -i
Syscall Report
=======================================
# date time syscall pid comm auid event
=======================================
1. 16/02/09 17:45:01 open 20343 cron unset 2279
2. 16/02/09 17:45:02 mkdir 20350 mktemp root 2284
3. 16/02/09 17:45:02 mkdir 20351 mkdir root 2285
...
The first thing that the visualization script needs to do on this report
is to extract only those columns that are of interest, in this example,
the syscall
and the comm
columns.
The output is sorted and duplicates removed then the final output is
piped into the visualization program itself:
LC_ALL=C aureport -s -i | awk '/^[0-9]/ { print $6" "$4 }' | sort | uniq | mkgraph
![]() | Adjusting the Locale |
---|---|
Depending on your choice of locale in
|
The second example illustrates the different types of events and how many of each type have been logged. The appropriate aureport command to extract this kind of information is aureport -e:
aureport -e -i --summary Event Summary Report ====================== total type ====================== 2434 SYSCALL 816 USER_START 816 USER_ACCT 814 CRED_ACQ 810 LOGIN 806 CRED_DISP 779 USER_END 99 CONFIG_CHANGE 52 USER_LOGIN
Because this type of report already contains a two column output, it is just fed into the the visualization script and transformed into a bar chart.
aureport -e -i --summary | mkbar events
For background information about the visualization of audit data, refer to the Web site of the audit project at http://people.redhat.com/sgrubb/audit/visualize/index.html.