How to decode audit logs

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
3
down vote

favorite
2












I'm auditing the files in a nfs share. When I look at the audit logs using the command ausearch -f /var/nfs/general , I get some logs that looks like this:



time->Tue Jun 12 16:23:34 2018
type=PROCTITLE msg=audit(1528800814.660:2782): proctitle=636174002F7661722F6E66732F67656E6572616C2F6E6673312E747874
type=PATH msg=audit(1528800814.660:2782): item=0 name="/var/nfs/general/nfs1.txt" inode=4063539 dev=08:01 mode=0100664 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1528800814.660:2782): cwd="/home/test"
type=SYSCALL msg=audit(1528800814.660:2782): arch=c000003e syscall=2 success=yes exit=3 a0=7ffc2c53c824 a1=0 a2=20000 a3=69d items=1 ppid=31104 pid=7295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts18 ses=4294967295 comm="cat" exe="/bin/cat" key=(null)


Now how can I get the IP address and the host name of the client who accessed the nfs share files?



Is there any other way to find those details?



I want to gather the details such as time, date, IP address of the client, client host name, event occurred (like read, write, rename, change ownership to the file, delete or create a file in the nfs folder).



The gathered details are to be put in a separate file which can be used for further purposes.



How can I do this?



I'm a linux newbie. Please help me.



Thank You. :)







share|improve this question

























    up vote
    3
    down vote

    favorite
    2












    I'm auditing the files in a nfs share. When I look at the audit logs using the command ausearch -f /var/nfs/general , I get some logs that looks like this:



    time->Tue Jun 12 16:23:34 2018
    type=PROCTITLE msg=audit(1528800814.660:2782): proctitle=636174002F7661722F6E66732F67656E6572616C2F6E6673312E747874
    type=PATH msg=audit(1528800814.660:2782): item=0 name="/var/nfs/general/nfs1.txt" inode=4063539 dev=08:01 mode=0100664 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
    type=CWD msg=audit(1528800814.660:2782): cwd="/home/test"
    type=SYSCALL msg=audit(1528800814.660:2782): arch=c000003e syscall=2 success=yes exit=3 a0=7ffc2c53c824 a1=0 a2=20000 a3=69d items=1 ppid=31104 pid=7295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts18 ses=4294967295 comm="cat" exe="/bin/cat" key=(null)


    Now how can I get the IP address and the host name of the client who accessed the nfs share files?



    Is there any other way to find those details?



    I want to gather the details such as time, date, IP address of the client, client host name, event occurred (like read, write, rename, change ownership to the file, delete or create a file in the nfs folder).



    The gathered details are to be put in a separate file which can be used for further purposes.



    How can I do this?



    I'm a linux newbie. Please help me.



    Thank You. :)







    share|improve this question























      up vote
      3
      down vote

      favorite
      2









      up vote
      3
      down vote

      favorite
      2






      2





      I'm auditing the files in a nfs share. When I look at the audit logs using the command ausearch -f /var/nfs/general , I get some logs that looks like this:



      time->Tue Jun 12 16:23:34 2018
      type=PROCTITLE msg=audit(1528800814.660:2782): proctitle=636174002F7661722F6E66732F67656E6572616C2F6E6673312E747874
      type=PATH msg=audit(1528800814.660:2782): item=0 name="/var/nfs/general/nfs1.txt" inode=4063539 dev=08:01 mode=0100664 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
      type=CWD msg=audit(1528800814.660:2782): cwd="/home/test"
      type=SYSCALL msg=audit(1528800814.660:2782): arch=c000003e syscall=2 success=yes exit=3 a0=7ffc2c53c824 a1=0 a2=20000 a3=69d items=1 ppid=31104 pid=7295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts18 ses=4294967295 comm="cat" exe="/bin/cat" key=(null)


      Now how can I get the IP address and the host name of the client who accessed the nfs share files?



      Is there any other way to find those details?



      I want to gather the details such as time, date, IP address of the client, client host name, event occurred (like read, write, rename, change ownership to the file, delete or create a file in the nfs folder).



      The gathered details are to be put in a separate file which can be used for further purposes.



      How can I do this?



      I'm a linux newbie. Please help me.



      Thank You. :)







      share|improve this question













      I'm auditing the files in a nfs share. When I look at the audit logs using the command ausearch -f /var/nfs/general , I get some logs that looks like this:



      time->Tue Jun 12 16:23:34 2018
      type=PROCTITLE msg=audit(1528800814.660:2782): proctitle=636174002F7661722F6E66732F67656E6572616C2F6E6673312E747874
      type=PATH msg=audit(1528800814.660:2782): item=0 name="/var/nfs/general/nfs1.txt" inode=4063539 dev=08:01 mode=0100664 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
      type=CWD msg=audit(1528800814.660:2782): cwd="/home/test"
      type=SYSCALL msg=audit(1528800814.660:2782): arch=c000003e syscall=2 success=yes exit=3 a0=7ffc2c53c824 a1=0 a2=20000 a3=69d items=1 ppid=31104 pid=7295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts18 ses=4294967295 comm="cat" exe="/bin/cat" key=(null)


      Now how can I get the IP address and the host name of the client who accessed the nfs share files?



      Is there any other way to find those details?



      I want to gather the details such as time, date, IP address of the client, client host name, event occurred (like read, write, rename, change ownership to the file, delete or create a file in the nfs folder).



      The gathered details are to be put in a separate file which can be used for further purposes.



      How can I do this?



      I'm a linux newbie. Please help me.



      Thank You. :)









      share|improve this question












      share|improve this question




      share|improve this question








      edited Jun 13 at 10:08









      GAD3R

      22.1k154891




      22.1k154891









      asked Jun 13 at 8:25









      Lublaut

      219




      219




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          2
          down vote













          I'm afraid you can't do that with the standard in-kernel NFS server. The audit subsystem audits system calls (calls from userspace to the kernel) and no such syscalls for I/O operations are done by NFS as the NFS server runs directly inside the kernel.



          Some possible ways to get a log of NFS operations could be:



          • Enable NFS debug logging using rpcdebug and process the resulting logs.

          • Trace the interesting NFS operations using the ftrace framework.

          • Switch to an userspace NFS server such as Ganesha. (I'm not sure if it can log accesses. If not, you'd have to implement it yourself.)

          In case you're wondering, the audit record you mentioned has nothing to do with NFS, that's just someone running cat /var/nfs/general/nfs1.txt locally.






          share|improve this answer





















          • Could you please show me how to do it?
            – Lublaut
            Jun 14 at 6:16










          • How do i use ftrace ?. I've enabled the rpcdebug.What do you mean by 'process the resulting logs' ?
            – Lublaut
            Jun 18 at 5:21










          • Well, ftrace or rpcebug will only give you a log of various bits of state from internal NFS operations, you will have to write some scripts to put the pieces together and extract the information you want. You will need to learn at least the basic inner workings of NFS and the Linux kernel (or find someone more experienced to help you). An overview of ftrace is in the kernel documentation.
            – TooTea
            Jun 18 at 10:11











          • Could you please elaborate your last comment @TooTea
            – Lublaut
            Jun 18 at 12:05










          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );








           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f449473%2fhow-to-decode-audit-logs%23new-answer', 'question_page');

          );

          Post as a guest






























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          2
          down vote













          I'm afraid you can't do that with the standard in-kernel NFS server. The audit subsystem audits system calls (calls from userspace to the kernel) and no such syscalls for I/O operations are done by NFS as the NFS server runs directly inside the kernel.



          Some possible ways to get a log of NFS operations could be:



          • Enable NFS debug logging using rpcdebug and process the resulting logs.

          • Trace the interesting NFS operations using the ftrace framework.

          • Switch to an userspace NFS server such as Ganesha. (I'm not sure if it can log accesses. If not, you'd have to implement it yourself.)

          In case you're wondering, the audit record you mentioned has nothing to do with NFS, that's just someone running cat /var/nfs/general/nfs1.txt locally.






          share|improve this answer





















          • Could you please show me how to do it?
            – Lublaut
            Jun 14 at 6:16










          • How do i use ftrace ?. I've enabled the rpcdebug.What do you mean by 'process the resulting logs' ?
            – Lublaut
            Jun 18 at 5:21










          • Well, ftrace or rpcebug will only give you a log of various bits of state from internal NFS operations, you will have to write some scripts to put the pieces together and extract the information you want. You will need to learn at least the basic inner workings of NFS and the Linux kernel (or find someone more experienced to help you). An overview of ftrace is in the kernel documentation.
            – TooTea
            Jun 18 at 10:11











          • Could you please elaborate your last comment @TooTea
            – Lublaut
            Jun 18 at 12:05














          up vote
          2
          down vote













          I'm afraid you can't do that with the standard in-kernel NFS server. The audit subsystem audits system calls (calls from userspace to the kernel) and no such syscalls for I/O operations are done by NFS as the NFS server runs directly inside the kernel.



          Some possible ways to get a log of NFS operations could be:



          • Enable NFS debug logging using rpcdebug and process the resulting logs.

          • Trace the interesting NFS operations using the ftrace framework.

          • Switch to an userspace NFS server such as Ganesha. (I'm not sure if it can log accesses. If not, you'd have to implement it yourself.)

          In case you're wondering, the audit record you mentioned has nothing to do with NFS, that's just someone running cat /var/nfs/general/nfs1.txt locally.






          share|improve this answer





















          • Could you please show me how to do it?
            – Lublaut
            Jun 14 at 6:16










          • How do i use ftrace ?. I've enabled the rpcdebug.What do you mean by 'process the resulting logs' ?
            – Lublaut
            Jun 18 at 5:21










          • Well, ftrace or rpcebug will only give you a log of various bits of state from internal NFS operations, you will have to write some scripts to put the pieces together and extract the information you want. You will need to learn at least the basic inner workings of NFS and the Linux kernel (or find someone more experienced to help you). An overview of ftrace is in the kernel documentation.
            – TooTea
            Jun 18 at 10:11











          • Could you please elaborate your last comment @TooTea
            – Lublaut
            Jun 18 at 12:05












          up vote
          2
          down vote










          up vote
          2
          down vote









          I'm afraid you can't do that with the standard in-kernel NFS server. The audit subsystem audits system calls (calls from userspace to the kernel) and no such syscalls for I/O operations are done by NFS as the NFS server runs directly inside the kernel.



          Some possible ways to get a log of NFS operations could be:



          • Enable NFS debug logging using rpcdebug and process the resulting logs.

          • Trace the interesting NFS operations using the ftrace framework.

          • Switch to an userspace NFS server such as Ganesha. (I'm not sure if it can log accesses. If not, you'd have to implement it yourself.)

          In case you're wondering, the audit record you mentioned has nothing to do with NFS, that's just someone running cat /var/nfs/general/nfs1.txt locally.






          share|improve this answer













          I'm afraid you can't do that with the standard in-kernel NFS server. The audit subsystem audits system calls (calls from userspace to the kernel) and no such syscalls for I/O operations are done by NFS as the NFS server runs directly inside the kernel.



          Some possible ways to get a log of NFS operations could be:



          • Enable NFS debug logging using rpcdebug and process the resulting logs.

          • Trace the interesting NFS operations using the ftrace framework.

          • Switch to an userspace NFS server such as Ganesha. (I'm not sure if it can log accesses. If not, you'd have to implement it yourself.)

          In case you're wondering, the audit record you mentioned has nothing to do with NFS, that's just someone running cat /var/nfs/general/nfs1.txt locally.







          share|improve this answer













          share|improve this answer



          share|improve this answer











          answered Jun 13 at 10:22









          TooTea

          2715




          2715











          • Could you please show me how to do it?
            – Lublaut
            Jun 14 at 6:16










          • How do i use ftrace ?. I've enabled the rpcdebug.What do you mean by 'process the resulting logs' ?
            – Lublaut
            Jun 18 at 5:21










          • Well, ftrace or rpcebug will only give you a log of various bits of state from internal NFS operations, you will have to write some scripts to put the pieces together and extract the information you want. You will need to learn at least the basic inner workings of NFS and the Linux kernel (or find someone more experienced to help you). An overview of ftrace is in the kernel documentation.
            – TooTea
            Jun 18 at 10:11











          • Could you please elaborate your last comment @TooTea
            – Lublaut
            Jun 18 at 12:05
















          • Could you please show me how to do it?
            – Lublaut
            Jun 14 at 6:16










          • How do i use ftrace ?. I've enabled the rpcdebug.What do you mean by 'process the resulting logs' ?
            – Lublaut
            Jun 18 at 5:21










          • Well, ftrace or rpcebug will only give you a log of various bits of state from internal NFS operations, you will have to write some scripts to put the pieces together and extract the information you want. You will need to learn at least the basic inner workings of NFS and the Linux kernel (or find someone more experienced to help you). An overview of ftrace is in the kernel documentation.
            – TooTea
            Jun 18 at 10:11











          • Could you please elaborate your last comment @TooTea
            – Lublaut
            Jun 18 at 12:05















          Could you please show me how to do it?
          – Lublaut
          Jun 14 at 6:16




          Could you please show me how to do it?
          – Lublaut
          Jun 14 at 6:16












          How do i use ftrace ?. I've enabled the rpcdebug.What do you mean by 'process the resulting logs' ?
          – Lublaut
          Jun 18 at 5:21




          How do i use ftrace ?. I've enabled the rpcdebug.What do you mean by 'process the resulting logs' ?
          – Lublaut
          Jun 18 at 5:21












          Well, ftrace or rpcebug will only give you a log of various bits of state from internal NFS operations, you will have to write some scripts to put the pieces together and extract the information you want. You will need to learn at least the basic inner workings of NFS and the Linux kernel (or find someone more experienced to help you). An overview of ftrace is in the kernel documentation.
          – TooTea
          Jun 18 at 10:11





          Well, ftrace or rpcebug will only give you a log of various bits of state from internal NFS operations, you will have to write some scripts to put the pieces together and extract the information you want. You will need to learn at least the basic inner workings of NFS and the Linux kernel (or find someone more experienced to help you). An overview of ftrace is in the kernel documentation.
          – TooTea
          Jun 18 at 10:11













          Could you please elaborate your last comment @TooTea
          – Lublaut
          Jun 18 at 12:05




          Could you please elaborate your last comment @TooTea
          – Lublaut
          Jun 18 at 12:05












           

          draft saved


          draft discarded


























           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f449473%2fhow-to-decode-audit-logs%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?