I am trying to parse the audit log to find a particular date that associated with a user record. The Date and the context of the record that I need to extract from the audit.log are 11-07-2015, the username and the activity he or she performed that day.
Here is my code:
grep -c date -d "11-07-2015 +%m%d%y" sudo /var/log/audit/audit.log
What exactly is going wrong? Please decribe in detail, post error msgs and a decent input sample!
As to your code:
date command.date at all if the search string is already at hand?I am sorry that I was not clear
The purpose of my program is to extract from audit.log the name of the user who restarted an application service on a particular date.
The audit.log input data is as follow:
type=LOGIN msg=audit(1175508928.548:4503): user pid=7878 uid=0 auid=555555
ses=4444 msg='start direction=from-servr suid=90 authentication acct=root laddr=133.122.90.334 lport=4567 exe=/usr/sbin/sshd
hostname=earth.example.com res=success)
Here is my code. The first part of the code extract username from the passwd file
and the second part of the code adds a username to auid field and converts audit dates into readable dates. The audit.log is then queried by 11/07/2015 date. Finally, the results are outputted to filename audit.txt. My program generates an error when executed.
here is my code:
echo u =awk -F '{print $1}' /etc/passwd
sudo cat /var/log/audit/audit.log | ausearch -ui $u perl -ne 'chomp: if ( /(.*type\()(\d+)(\. \d+.*)/) {$td = scalar localtime $; print "$1$td-$30 \n";}' > tmp/audit.txt
The follow is an example of how the data in the output audit.txt needs to be displayed:
type=LOGIN msg=11/07/2015 12:38: 38 PM user pid=7878 uid=deepak auid=deepak
ses=4444 msg='start direction=from-servr suid=90 authentication acct=root laddr=133.122.90.334 lport=4567 exe=/usr/sbin/sshd
hostname=earth.example.com res=success)