How to decode audit logs
Clash Royale CLAN TAG#URR8PPP
up vote
3
down vote
favorite
I'm auditing the files in a nfs share. When I look at the audit logs using the command ausearch -f /var/nfs/general
, I get some logs that looks like this:
time->Tue Jun 12 16:23:34 2018
type=PROCTITLE msg=audit(1528800814.660:2782): proctitle=636174002F7661722F6E66732F67656E6572616C2F6E6673312E747874
type=PATH msg=audit(1528800814.660:2782): item=0 name="/var/nfs/general/nfs1.txt" inode=4063539 dev=08:01 mode=0100664 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1528800814.660:2782): cwd="/home/test"
type=SYSCALL msg=audit(1528800814.660:2782): arch=c000003e syscall=2 success=yes exit=3 a0=7ffc2c53c824 a1=0 a2=20000 a3=69d items=1 ppid=31104 pid=7295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts18 ses=4294967295 comm="cat" exe="/bin/cat" key=(null)
Now how can I get the IP address and the host name of the client who accessed the nfs share files?
Is there any other way to find those details?
I want to gather the details such as time, date, IP address of the client, client host name, event occurred (like read, write, rename, change ownership to the file, delete or create a file in the nfs folder).
The gathered details are to be put in a separate file which can be used for further purposes.
How can I do this?
I'm a linux newbie. Please help me.
Thank You. :)
linux logs nfs audit
add a comment |Â
up vote
3
down vote
favorite
I'm auditing the files in a nfs share. When I look at the audit logs using the command ausearch -f /var/nfs/general
, I get some logs that looks like this:
time->Tue Jun 12 16:23:34 2018
type=PROCTITLE msg=audit(1528800814.660:2782): proctitle=636174002F7661722F6E66732F67656E6572616C2F6E6673312E747874
type=PATH msg=audit(1528800814.660:2782): item=0 name="/var/nfs/general/nfs1.txt" inode=4063539 dev=08:01 mode=0100664 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1528800814.660:2782): cwd="/home/test"
type=SYSCALL msg=audit(1528800814.660:2782): arch=c000003e syscall=2 success=yes exit=3 a0=7ffc2c53c824 a1=0 a2=20000 a3=69d items=1 ppid=31104 pid=7295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts18 ses=4294967295 comm="cat" exe="/bin/cat" key=(null)
Now how can I get the IP address and the host name of the client who accessed the nfs share files?
Is there any other way to find those details?
I want to gather the details such as time, date, IP address of the client, client host name, event occurred (like read, write, rename, change ownership to the file, delete or create a file in the nfs folder).
The gathered details are to be put in a separate file which can be used for further purposes.
How can I do this?
I'm a linux newbie. Please help me.
Thank You. :)
linux logs nfs audit
add a comment |Â
up vote
3
down vote
favorite
up vote
3
down vote
favorite
I'm auditing the files in a nfs share. When I look at the audit logs using the command ausearch -f /var/nfs/general
, I get some logs that looks like this:
time->Tue Jun 12 16:23:34 2018
type=PROCTITLE msg=audit(1528800814.660:2782): proctitle=636174002F7661722F6E66732F67656E6572616C2F6E6673312E747874
type=PATH msg=audit(1528800814.660:2782): item=0 name="/var/nfs/general/nfs1.txt" inode=4063539 dev=08:01 mode=0100664 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1528800814.660:2782): cwd="/home/test"
type=SYSCALL msg=audit(1528800814.660:2782): arch=c000003e syscall=2 success=yes exit=3 a0=7ffc2c53c824 a1=0 a2=20000 a3=69d items=1 ppid=31104 pid=7295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts18 ses=4294967295 comm="cat" exe="/bin/cat" key=(null)
Now how can I get the IP address and the host name of the client who accessed the nfs share files?
Is there any other way to find those details?
I want to gather the details such as time, date, IP address of the client, client host name, event occurred (like read, write, rename, change ownership to the file, delete or create a file in the nfs folder).
The gathered details are to be put in a separate file which can be used for further purposes.
How can I do this?
I'm a linux newbie. Please help me.
Thank You. :)
linux logs nfs audit
I'm auditing the files in a nfs share. When I look at the audit logs using the command ausearch -f /var/nfs/general
, I get some logs that looks like this:
time->Tue Jun 12 16:23:34 2018
type=PROCTITLE msg=audit(1528800814.660:2782): proctitle=636174002F7661722F6E66732F67656E6572616C2F6E6673312E747874
type=PATH msg=audit(1528800814.660:2782): item=0 name="/var/nfs/general/nfs1.txt" inode=4063539 dev=08:01 mode=0100664 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1528800814.660:2782): cwd="/home/test"
type=SYSCALL msg=audit(1528800814.660:2782): arch=c000003e syscall=2 success=yes exit=3 a0=7ffc2c53c824 a1=0 a2=20000 a3=69d items=1 ppid=31104 pid=7295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts18 ses=4294967295 comm="cat" exe="/bin/cat" key=(null)
Now how can I get the IP address and the host name of the client who accessed the nfs share files?
Is there any other way to find those details?
I want to gather the details such as time, date, IP address of the client, client host name, event occurred (like read, write, rename, change ownership to the file, delete or create a file in the nfs folder).
The gathered details are to be put in a separate file which can be used for further purposes.
How can I do this?
I'm a linux newbie. Please help me.
Thank You. :)
linux logs nfs audit
edited Jun 13 at 10:08
GAD3R
22.1k154891
22.1k154891
asked Jun 13 at 8:25
Lublaut
219
219
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
2
down vote
I'm afraid you can't do that with the standard in-kernel NFS server. The audit subsystem audits system calls (calls from userspace to the kernel) and no such syscalls for I/O operations are done by NFS as the NFS server runs directly inside the kernel.
Some possible ways to get a log of NFS operations could be:
- Enable NFS debug logging using
rpcdebug
and process the resulting logs. - Trace the interesting NFS operations using the
ftrace
framework. - Switch to an userspace NFS server such as Ganesha. (I'm not sure if it can log accesses. If not, you'd have to implement it yourself.)
In case you're wondering, the audit record you mentioned has nothing to do with NFS, that's just someone running cat /var/nfs/general/nfs1.txt
locally.
Could you please show me how to do it?
â Lublaut
Jun 14 at 6:16
How do i useftrace
?. I've enabled therpcdebug
.What do you mean by 'process the resulting logs' ?
â Lublaut
Jun 18 at 5:21
Well,ftrace
orrpcebug
will only give you a log of various bits of state from internal NFS operations, you will have to write some scripts to put the pieces together and extract the information you want. You will need to learn at least the basic inner workings of NFS and the Linux kernel (or find someone more experienced to help you). An overview of ftrace is in the kernel documentation.
â TooTea
Jun 18 at 10:11
Could you please elaborate your last comment @TooTea
â Lublaut
Jun 18 at 12:05
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
I'm afraid you can't do that with the standard in-kernel NFS server. The audit subsystem audits system calls (calls from userspace to the kernel) and no such syscalls for I/O operations are done by NFS as the NFS server runs directly inside the kernel.
Some possible ways to get a log of NFS operations could be:
- Enable NFS debug logging using
rpcdebug
and process the resulting logs. - Trace the interesting NFS operations using the
ftrace
framework. - Switch to an userspace NFS server such as Ganesha. (I'm not sure if it can log accesses. If not, you'd have to implement it yourself.)
In case you're wondering, the audit record you mentioned has nothing to do with NFS, that's just someone running cat /var/nfs/general/nfs1.txt
locally.
Could you please show me how to do it?
â Lublaut
Jun 14 at 6:16
How do i useftrace
?. I've enabled therpcdebug
.What do you mean by 'process the resulting logs' ?
â Lublaut
Jun 18 at 5:21
Well,ftrace
orrpcebug
will only give you a log of various bits of state from internal NFS operations, you will have to write some scripts to put the pieces together and extract the information you want. You will need to learn at least the basic inner workings of NFS and the Linux kernel (or find someone more experienced to help you). An overview of ftrace is in the kernel documentation.
â TooTea
Jun 18 at 10:11
Could you please elaborate your last comment @TooTea
â Lublaut
Jun 18 at 12:05
add a comment |Â
up vote
2
down vote
I'm afraid you can't do that with the standard in-kernel NFS server. The audit subsystem audits system calls (calls from userspace to the kernel) and no such syscalls for I/O operations are done by NFS as the NFS server runs directly inside the kernel.
Some possible ways to get a log of NFS operations could be:
- Enable NFS debug logging using
rpcdebug
and process the resulting logs. - Trace the interesting NFS operations using the
ftrace
framework. - Switch to an userspace NFS server such as Ganesha. (I'm not sure if it can log accesses. If not, you'd have to implement it yourself.)
In case you're wondering, the audit record you mentioned has nothing to do with NFS, that's just someone running cat /var/nfs/general/nfs1.txt
locally.
Could you please show me how to do it?
â Lublaut
Jun 14 at 6:16
How do i useftrace
?. I've enabled therpcdebug
.What do you mean by 'process the resulting logs' ?
â Lublaut
Jun 18 at 5:21
Well,ftrace
orrpcebug
will only give you a log of various bits of state from internal NFS operations, you will have to write some scripts to put the pieces together and extract the information you want. You will need to learn at least the basic inner workings of NFS and the Linux kernel (or find someone more experienced to help you). An overview of ftrace is in the kernel documentation.
â TooTea
Jun 18 at 10:11
Could you please elaborate your last comment @TooTea
â Lublaut
Jun 18 at 12:05
add a comment |Â
up vote
2
down vote
up vote
2
down vote
I'm afraid you can't do that with the standard in-kernel NFS server. The audit subsystem audits system calls (calls from userspace to the kernel) and no such syscalls for I/O operations are done by NFS as the NFS server runs directly inside the kernel.
Some possible ways to get a log of NFS operations could be:
- Enable NFS debug logging using
rpcdebug
and process the resulting logs. - Trace the interesting NFS operations using the
ftrace
framework. - Switch to an userspace NFS server such as Ganesha. (I'm not sure if it can log accesses. If not, you'd have to implement it yourself.)
In case you're wondering, the audit record you mentioned has nothing to do with NFS, that's just someone running cat /var/nfs/general/nfs1.txt
locally.
I'm afraid you can't do that with the standard in-kernel NFS server. The audit subsystem audits system calls (calls from userspace to the kernel) and no such syscalls for I/O operations are done by NFS as the NFS server runs directly inside the kernel.
Some possible ways to get a log of NFS operations could be:
- Enable NFS debug logging using
rpcdebug
and process the resulting logs. - Trace the interesting NFS operations using the
ftrace
framework. - Switch to an userspace NFS server such as Ganesha. (I'm not sure if it can log accesses. If not, you'd have to implement it yourself.)
In case you're wondering, the audit record you mentioned has nothing to do with NFS, that's just someone running cat /var/nfs/general/nfs1.txt
locally.
answered Jun 13 at 10:22
TooTea
2715
2715
Could you please show me how to do it?
â Lublaut
Jun 14 at 6:16
How do i useftrace
?. I've enabled therpcdebug
.What do you mean by 'process the resulting logs' ?
â Lublaut
Jun 18 at 5:21
Well,ftrace
orrpcebug
will only give you a log of various bits of state from internal NFS operations, you will have to write some scripts to put the pieces together and extract the information you want. You will need to learn at least the basic inner workings of NFS and the Linux kernel (or find someone more experienced to help you). An overview of ftrace is in the kernel documentation.
â TooTea
Jun 18 at 10:11
Could you please elaborate your last comment @TooTea
â Lublaut
Jun 18 at 12:05
add a comment |Â
Could you please show me how to do it?
â Lublaut
Jun 14 at 6:16
How do i useftrace
?. I've enabled therpcdebug
.What do you mean by 'process the resulting logs' ?
â Lublaut
Jun 18 at 5:21
Well,ftrace
orrpcebug
will only give you a log of various bits of state from internal NFS operations, you will have to write some scripts to put the pieces together and extract the information you want. You will need to learn at least the basic inner workings of NFS and the Linux kernel (or find someone more experienced to help you). An overview of ftrace is in the kernel documentation.
â TooTea
Jun 18 at 10:11
Could you please elaborate your last comment @TooTea
â Lublaut
Jun 18 at 12:05
Could you please show me how to do it?
â Lublaut
Jun 14 at 6:16
Could you please show me how to do it?
â Lublaut
Jun 14 at 6:16
How do i use
ftrace
?. I've enabled the rpcdebug
.What do you mean by 'process the resulting logs' ?â Lublaut
Jun 18 at 5:21
How do i use
ftrace
?. I've enabled the rpcdebug
.What do you mean by 'process the resulting logs' ?â Lublaut
Jun 18 at 5:21
Well,
ftrace
or rpcebug
will only give you a log of various bits of state from internal NFS operations, you will have to write some scripts to put the pieces together and extract the information you want. You will need to learn at least the basic inner workings of NFS and the Linux kernel (or find someone more experienced to help you). An overview of ftrace is in the kernel documentation.â TooTea
Jun 18 at 10:11
Well,
ftrace
or rpcebug
will only give you a log of various bits of state from internal NFS operations, you will have to write some scripts to put the pieces together and extract the information you want. You will need to learn at least the basic inner workings of NFS and the Linux kernel (or find someone more experienced to help you). An overview of ftrace is in the kernel documentation.â TooTea
Jun 18 at 10:11
Could you please elaborate your last comment @TooTea
â Lublaut
Jun 18 at 12:05
Could you please elaborate your last comment @TooTea
â Lublaut
Jun 18 at 12:05
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f449473%2fhow-to-decode-audit-logs%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password