在 journalctl 中查看 auditd 日志

tag-icon tag-icon linux logging centos7 auditd journalctl
在 journalctl 中查看 auditd 日志

我正在使用 CentOS 7。尝试查看auditd日志journalctl

当我尝试时,journalctl -u auditd我看到以下输出:

-- Logs begin at Wed 2018-09-05 08:59:19 EDT, end at Wed 2018-09-19 15:01:01 EDT. --
Sep 05 12:59:25 centos7 systemd[1]: Starting Security Auditing Service...
Sep 05 12:59:25 centos7 auditd[563]: Started dispatcher: /sbin/audispd pid: 565
Sep 05 12:59:25 centos7 audispd[565]: No plugins found, exiting
Sep 05 12:59:25 centos7 auditd[563]: Init complete, auditd 2.8.1 listening for events (startup state enable)
Sep 05 12:59:25 centos7 augenrules[567]: /sbin/augenrules: No change
Sep 05 12:59:25 centos7 augenrules[567]: No rules
Sep 05 12:59:25 centos7 augenrules[567]: enabled 1
Sep 05 12:59:25 centos7 augenrules[567]: failure 1
Sep 05 12:59:25 centos7 augenrules[567]: pid 563
Sep 05 12:59:25 centos7 augenrules[567]: rate_limit 0
Sep 05 12:59:25 centos7 augenrules[567]: backlog_limit 8192
Sep 05 12:59:25 centos7 augenrules[567]: lost 0
Sep 05 12:59:25 centos7 augenrules[567]: backlog 1
Sep 05 12:59:25 centos7 augenrules[567]: enabled 1
Sep 05 12:59:25 centos7 augenrules[567]: failure 1
Sep 05 12:59:25 centos7 augenrules[567]: pid 563
Sep 05 12:59:25 centos7 augenrules[567]: rate_limit 0
Sep 05 12:59:25 centos7 augenrules[567]: backlog_limit 8192
Sep 05 12:59:25 centos7 augenrules[567]: lost 0
Sep 05 12:59:25 centos7 augenrules[567]: backlog 1
Sep 05 12:59:25 centos7 systemd[1]: Started Security Auditing Service.

事情就这样结束了。

如果我运行,tail -3 /var/log/audit/audit.log我会看到我期望的输出:

类型 = CRED_REFR msg = 审核 (1537383661.096:4863):pid=13894 uid=0 auid=0 ses=567 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" 主机名 =?addr=?terminal=cron res=success'

类型 = CRED_DISP 消息 = 审核 (1537383661.107:4864): pid=13894 uid=0 auid=0 ses=567 消息 ='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" 主机名 =? addr=? 终端 = cron res=success'

类型 = USER_END msg = 审核 (1537383661.109:4865): pid=13894 uid=0 auid=0 ses=567 msg='op=PAM:session_close grantors=pam_loginuid、pam_keyinit、pam_limits、pam_systemd acct="root" exe="/usr/sbin/crond" 主机名 =? addr=? 终端 = cron res=success'

我看了https://major.io/2017/01/05/display-auditd-messages-with-journalctl/

从该页面运行此命令得到了此输出,然后等待(如预期)。

$ journalctl -af _TRANSPORT=audit
-- Logs begin at Wed 2018-09-05 08:59:19 EDT. --

如何配置journalctl或查看从文件中auditd看到的输出?audit.logjournalctl

答案1

我也没有在那里找到任何匹配项。然后我这样做 journalctl _TRANSPORT=syslog,发现我确实有匹配项。这促使我进行了一些调查,我发现如果我过滤某些特定内容,例如sshd,那么我会找到匹配项,尽管它们看起来完全不同。这是一个实际的例子:

audit.log : type=CRED_REFR msg=audit(1537414472.742:270819): pid=20227 uid=0 auid=0 ses=30399 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/sshd" hostname=130.19.106.234 addr=130.19.106.234 terminal=ssh res=success'
journalctl _TRANSPORT=syslog | grep sshd | tail

输出

Sep 19 20:34:32 ndc1ascem2rad1.eng.mobilephone.net sshd[20225]: Accepted publickey for root from 130.19.106.234 port 60853 ssh2: RSA 00:7e:b4:44:05:c0:fa:e3:xxxxxxxxxxxxxxxxxxxxxx
Sep 19 20:34:32 ndc1ascem2rad1.eng.mobilephone.net sshd[20225]: pam_unix(sshd:session): session opened for user root by (uid=0)

注意 IP 地址匹配。因此请尝试 _TRANSPORT=syslog。

相关内容