auformat

auformat is a utility to convert the output from ausearch or aureport into another format for either viewing or further processing.

Example (as root):

ausearch -i -ts recent | auformat

Will turn the audit log into XML.

ausearch -i -ts recent | auformat -f html -o audit.html

Will turn the audit log into HTML and write it to the audit.html file.

aureport -e -i | auformat -f csv

Will turn the output from aureport into csv.

Requirements

The basic requirements are:

• Perl
• Perl module XML::Writer

For translations either:

• Perl module XML::LibXSLT
• libxslt-tools

The Perl modules should be available in your distribution's package repositories.

Output Formats

The currently supported output formats are as follows.

• XML
• CSV
• JSON
• HTML
• Back to original

The available formats can be listed by typing auformat -l. The output formats are easily extensible by writing an XSLT to transform the XML produced from the tool and placing the file in the transform directory.

ausearch Example

ausearch -i	XML	CSV	JSON	HTML
---- type=DAEMON_START msg=audit(11/14/2012 10:39:16.131:8805) : auditd start, ver=2.2 format=raw kernel=2.6.32-279.el6.x86_64 auid=unset pid=912 subj=system_u:system_r:auditd_t:s0 res=success ---- type=CONFIG_CHANGE msg=audit(11/14/2012 10:39:16.268:4) : audit_backlog_limit=320 old=64 auid=unset ses=unset subj=system_u:system_r:auditctl_t:s0 res=1 ---- type=USER_AUTH msg=audit(11/14/2012 10:40:20.780:5) : user pid=1081 uid=root auid=unset ses=unset subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct=? exe=/bin/login hostname=? addr=? terminal=tty1 res=failed'	<?xml version="1.0" encoding="UTF-8"?> <ausearch hostname="jbloggs.test.net" generated="2013-08-13T21:50:16+01:00" generator="auformat" xsi:schemaLocation="urn:linux:audit:ausearch audits.xsd" xmlns="urn:linux:audit:ausearch" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Event> <record type="DAEMON_START" timestamp="11/14/2012 10:39:16.131:8805"> <info>auditd start,</info> <ver>2.2</ver> <format>raw</format> <kernel>2.6.32-279.el6.x86_64</kernel> <auid>unset</auid> <pid>912</pid> <subj>system_u:system_r:auditd_t:s0</subj> <res>success</res> </record> </Event> <Event> <record type="CONFIG_CHANGE" timestamp="11/14/2012 10:39:16.268:4"> <audit_backlog_limit>320</audit_backlog_limit> <old>64</old> <auid>unset</auid> <ses>unset</ses> <subj>system_u:system_r:auditctl_t:s0</subj> <res>1</res> </record> </Event> <Event> <record type="USER_AUTH" timestamp="11/14/2012 10:40:20.780:5"> <info>user</info> <pid>1081</pid> <uid>root</uid> <auid>unset</auid> <ses>unset</ses> <subj>system_u:system_r:local_login_t:s0-s0:c0.c1023</subj> <msg> <op>PAM:authentication</op> <acct>?</acct> <exe>/bin/login</exe> <hostname>?</hostname> <addr>?</addr> <terminal>tty1</terminal> <res>failed</res> </msg> </record> </Event> </ausearch>	Event,Timestamp,Type,uid,pid,exe,Result,Message 1,11/14/2012 10:39:16.131:8805,DAEMON_START,,912,,success,"auditd start, ver=2.2 format=raw kernel=2.6.32-279.el6.x86_64 auid=unset pid=912 subj=system_u:system_r:auditd_t:s0 res=success" 2,11/14/2012 10:39:16.268:4,CONFIG_CHANGE,,,,1,"audit_backlog_limit=320 old=64 auid=unset ses=unset subj=system_u:system_r:auditctl_t:s0 res=1" 3,11/14/2012 10:40:20.780:5,USER_AUTH,root,1081,/bin/login,failed,"user pid=1081 uid=root auid=unset ses=unset subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct=? exe=/bin/login hostname=? addr=? terminal=tty1 res=failed'"	{ "hostname":"jbloggs.test.net", "generated":"2013-07-23T16:19:56+01:00", "events": [ { "records": [ { "type":"DAEMON_START", "timestamp":"11/14/2012 10:39:16.131:8805", "info":"auditd start,", "ver":"2.2", "format":"raw", "kernel":"2.6.32-279.el6.x86_64", "auid":"unset", "pid":"912", "subj":"system_u:system_r:auditd_t:s0", "res":"success" } ] }, { "records": [ { "type":"CONFIG_CHANGE", "timestamp":"11/14/2012 10:39:16.268:4", "audit_backlog_limit":"320", "old":"64", "auid":"unset", "ses":"unset", "subj":"system_u:system_r:auditctl_t:s0", "res":"1" } ] } ] }	See example

aureport Example

aureport -u -i	XML	CSV	JSON	HTML
Process ID Report ====================================== # date time pid exe syscall auid event ====================================== 1. 07/07/13 18:28:08 3618 ? ? unset 5777 2. 07/07/13 18:30:01 3695 /usr/sbin/cron ? unset 2 3. 07/07/13 18:30:01 3695 /usr/sbin/cron ? unset 3	<?xml version="1.0" encoding="UTF-8"?> <aureport hostname="jbloggs.test.net" generated="2013-07-25T21:37:18+01:00" generator="auformat" title="Process ID Report" xsi:schemaLocation="urn:linux:audit:aureport auditr.xsd" xmlns="urn:linux:audit:aureport" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <header> <col>date</col> <col>time</col> <col>pid</col> <col>exe</col> <col>syscall</col> <col>auid</col> <col>event</col> </header> <record num="1"> <field col="date">07/07/13</field> <field col="time">18:28:08</field> <field col="pid">3618</field> <field col="exe">?</field> <field col="syscall">?</field> <field col="auid">unset</field> <field col="event">5777</field> </record> <record num="2"> <field col="date">07/07/13</field> <field col="time">18:30:01</field> <field col="pid">3695</field> <field col="exe">/usr/sbin/cron</field> <field col="syscall">?</field> <field col="auid">unset</field> <field col="event">2</field> </record> <record num="3"> <field col="date">07/07/13</field> <field col="time">18:30:01</field> <field col="pid">3695</field> <field col="exe">/usr/sbin/cron</field> <field col="syscall">?</field> <field col="auid">unset</field> <field col="event">3</field> </record> </aureport>	#,date,time,pid,exe,syscall,auid,event 1,07/07/13,18:28:08,3618,?,?,unset,5777 2,07/07/13,18:30:01,3695,/usr/sbin/cron,?,unset,2 3,07/07/13,18:30:01,3695,/usr/sbin/cron,?,unset,3	{ "hostname":"jbloggs.test.net", "generated":"2013-07-25T21:37:18+01:00", "generator":"auformat", "events":[ { "record":"1", "date":"07/07/13", "time":"18:28:08", "pid":"3618", "exe":"?", "syscall":"?", "auid":"unset", "event":"5777" }, { "record":"2", "date":"07/07/13", "time":"18:30:01", "pid":"3695", "exe":"/usr/sbin/cron", "syscall":"?", "auid":"unset", "event":"2" }, { "record":"3", "date":"07/07/13", "time":"18:30:01", "pid":"3695", "exe":"/usr/sbin/cron", "syscall":"?", "auid":"unset", "event":"3" } ] }	See example.

Download

Latest release: 2013-09-14

• auformat.tgz
• auformat-opensuse-1.1-1.noarch.rpm
• auformat-centos-1.1-1.noarch.rpm
• auformat_1.1_all.deb