[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-selinux-list
Subject:    Re: a new tool
From:       John Dennis <jdennis () redhat ! com>
Date:       2007-12-18 14:09:13
Message-ID: 4767D489.4070103 () redhat ! com
[Download RAW message or body]

Josef Kubin wrote:
> Hello,
> 
> I've just wrote a simple sed script for conversion of audit.log to html 
> counterpart, because the audit.log file over web is really hard to read 
> without highlighting by "avc:  denied" substring and corresponding 
> timestamp group.
> 
> http://people.redhat.com/jkubin/selinux/audit2html
> 
> $ audit2html < /var/log/audit/audit.log > audit.log.html
> 
> http://people.redhat.com/jkubin/selinux/audit.log.html
> 
> http://tinyurl.com/2ek3oe
> 
> Suggestions and comments are welcomed, thank you for your feedback.

Thank you for sharing this Josef, this looks interesting and useful, but
I have a couple of questions, at least based on the example you
provided. The grouping appears to be wrong. Some items in a group share
a common timestamp, others do not and are a mix of other audit events.
Events must share a common second, millisecond, and serial number (and
host when present). I looked at the sed script to see how this was
happening but complex sed syntax is too cryptic to be readable :-( Also,
have you considered using the audit parsing library (auparse) for this
task? It is designed to make parsing audit data easy and robust (and I
dare say more readable and maintainable than sed :-)
-- 
John Dennis <jdennis@redhat.com>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[prev in list] [next in list] [prev in thread] [next in thread]