On Thu, Sep 04, 2014 at 12:46:47AM +0200, pinguin74 wrote:
Am 03.09.2014 09:44, schrieb Marcus Meissner:
On Tue, Sep 02, 2014 at 06:22:47PM +0200, pinguin74 wrote:
Hello,
it seems events in audit.log do not have time stamps. This makes analyzing events a bit uncomfortable I think.
Can you make the audit system somehow to add a time stamp to logged events? Just like in /var/log/messages.
It is there ... :)
type=AVC msg=audit(1409728889.981:41): apparmor="STATUS" operation="profile_load" name="/usr/share/gitweb/gitweb.cgi" pid=655 comm="apparmor_parser"
The timestamp is 1409728889.981
$ date --date="@1409728889.981" Wed Sep 3 09:21:29 CEST 2014
Is this their goal, to make reading the log file as hard as possible? Why not encrypt it with AES to be sure you can´t read it.....
This logfile needs be easily machine readable without ambiguities, and human readable timestamps are kind of harder to parse than just seconds since 1970. It is assumed that tools will be used to post-process it, e.g. aureport or aa-logprof or others. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org