Convert SELinux log date format from Epoch to Normal

dateepoch-timeselinux

When SELinux logs an event to the audit log on my CentOS 6 system, it's logging it in epoch time which makes for a real hassle when trying to troubleshoot. Is there any way to make it log these events using human readable date formats? I've looked through the conf files and googled around but can't seem to find anything on it.

Best Answer

I don't think there are any configuration options, but I found a script that will prepend human readable times:

egrep '^type=(AVC|SELINUX)' /var/log/audit/audit.log |
while read line; do
   time=`echo $line | sed 's/.*audit(\([0-9]*\).*/\1/'`;
   echo `date -d @$time` $line;
done

Source: http://blog.commandlinekungfu.com/2010/08/episode-106-epoch-fail.html

Related Solutions

Ftp – pure-ftpd auth blocked by SELinux

A number of SELinux policies are flagged dontaudit so that they do not leave messages in the audit log. This is usually because they are policies that would just spam the log with useless entries, but sometimes developers dontaudit a denial rather than fixing the underlying problem. The policy you're hitting is almost certainly among these, since you aren't seeing any messages being logged in audit.log.

You can temporarily disable dontaudit by running:

semodule -DB

After you've discovered the cause of the problem, re-enable dontaudit with:

semodule -B

To build your policy once you've generated it, run:

make -f /usr/share/selinux/devel/Makefile

Linux – Logstash: UNIX Epoch time not getting converted to readable format

If the errors are really being caused by the extra whitespace in the time_stamp field, you can use the mutate filter to strip it out. Your filter would then look like this:

filter {
  if [type] == "squid" {
    grok {
      patterns_dir   => [ "/etc/logstash/patterns" ]
      match => { message => "%{SQUID_LOG}" }
    }
    mutate {
      strip => ["time_stamp"]
    }
    date {
      match => [ "time_stamp", "UNIX" ]
    }
 }
}

Update

If all the log entries have exactly 6 extra spaces after the timestamp, update your grok pattern as follows. Note the extra spaces between time_stamp and time_epapsed_ms.

((%{DATA:time_stamp})      (%{NUMBER:time_elapsed_ms}) (%{IPV4:client_ip}) (%{WORD:req_stat})/(%{INT:reply_code}) (%{INT:request_size}) (%{WORD:http_method}) (%{URIPROTO:request_protocol}://)?%{IPORHOST:request_hostname}(?::%{POSINT:port})?(?:%{URIPATHPARAM:uri_param}|) (%{USERNAME:user}) (%{WORD:squid_hierarchy})/(%{HOST:server}|-) (%{DATA:content_type}) (%{WORD:snaction}|-))

If there's a possibility that it might be more or less than 6 spaces, the following should work.

((%{DATA:time_stamp})%{SPACE}(%{NUMBER:time_elapsed_ms}) (%{IPV4:client_ip}) (%{WORD:req_stat})/(%{INT:reply_code}) (%{INT:request_size}) (%{WORD:http_method}) (%{URIPROTO:request_protocol}://)?%{IPORHOST:request_hostname}(?::%{POSINT:port})?(?:%{URIPATHPARAM:uri_param}|) (%{USERNAME:user}) (%{WORD:squid_hierarchy})/(%{HOST:server}|-) (%{DATA:content_type}) (%{WORD:snaction}|-))

Best Answer

Related Solutions

Ftp – pure-ftpd auth blocked by SELinux

Linux – Logstash: UNIX Epoch time not getting converted to readable format

Related Topic