Linux – View auditd logs in journalctl

auditdcentos7journalctllinuxlogging

I'm using CentOS 7. trying to view auditd logs in journalctl

When I try journalctl -u auditd I see the following output:

-- Logs begin at Wed 2018-09-05 08:59:19 EDT, end at Wed 2018-09-19 15:01:01 EDT. --
Sep 05 12:59:25 centos7 systemd[1]: Starting Security Auditing Service...
Sep 05 12:59:25 centos7 auditd[563]: Started dispatcher: /sbin/audispd pid: 565
Sep 05 12:59:25 centos7 audispd[565]: No plugins found, exiting
Sep 05 12:59:25 centos7 auditd[563]: Init complete, auditd 2.8.1 listening for events (startup state enable)
Sep 05 12:59:25 centos7 augenrules[567]: /sbin/augenrules: No change
Sep 05 12:59:25 centos7 augenrules[567]: No rules
Sep 05 12:59:25 centos7 augenrules[567]: enabled 1
Sep 05 12:59:25 centos7 augenrules[567]: failure 1
Sep 05 12:59:25 centos7 augenrules[567]: pid 563
Sep 05 12:59:25 centos7 augenrules[567]: rate_limit 0
Sep 05 12:59:25 centos7 augenrules[567]: backlog_limit 8192
Sep 05 12:59:25 centos7 augenrules[567]: lost 0
Sep 05 12:59:25 centos7 augenrules[567]: backlog 1
Sep 05 12:59:25 centos7 augenrules[567]: enabled 1
Sep 05 12:59:25 centos7 augenrules[567]: failure 1
Sep 05 12:59:25 centos7 augenrules[567]: pid 563
Sep 05 12:59:25 centos7 augenrules[567]: rate_limit 0
Sep 05 12:59:25 centos7 augenrules[567]: backlog_limit 8192
Sep 05 12:59:25 centos7 augenrules[567]: lost 0
Sep 05 12:59:25 centos7 augenrules[567]: backlog 1
Sep 05 12:59:25 centos7 systemd[1]: Started Security Auditing Service.

and that's where it ends.

If I run tail -3 /var/log/audit/audit.log I see the output I expect:

type=CRED_REFR msg=audit(1537383661.096:4863): pid=13894 uid=0 auid=0 ses=567 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

type=CRED_DISP msg=audit(1537383661.107:4864): pid=13894 uid=0 auid=0 ses=567 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

type=USER_END msg=audit(1537383661.109:4865): pid=13894 uid=0 auid=0 ses=567 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

I looked at the instructions from https://major.io/2017/01/05/display-auditd-messages-with-journalctl/

Running this command from that page gave me this output and then waited (as expected).

$ journalctl -af _TRANSPORT=audit
-- Logs begin at Wed 2018-09-05 08:59:19 EDT. --

How do I configure journalctl or auditd to view the output I see from the audit.log file in journalctl?

Best Answer

I did not find any matches there either. Then I did this journalctl _TRANSPORT=syslog and found that I did have matches. This led me to some investigation and I found that if I filtered for something specific, for example sshd, then I found matches although they look completely different. Here's an actual example:

audit.log : type=CRED_REFR msg=audit(1537414472.742:270819): pid=20227 uid=0 auid=0 ses=30399 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/sshd" hostname=130.19.106.234 addr=130.19.106.234 terminal=ssh res=success'
journalctl _TRANSPORT=syslog | grep sshd | tail

output

Sep 19 20:34:32 ndc1ascem2rad1.eng.mobilephone.net sshd[20225]: Accepted publickey for root from 130.19.106.234 port 60853 ssh2: RSA 00:7e:b4:44:05:c0:fa:e3:xxxxxxxxxxxxxxxxxxxxxx
Sep 19 20:34:32 ndc1ascem2rad1.eng.mobilephone.net sshd[20225]: pam_unix(sshd:session): session opened for user root by (uid=0)

Notice the IP addresses match. So try _TRANSPORT=syslog instead.

Related Solutions

Way to make journalctl show logs from “the last time foo.service ran”

Since systemd version 232, we have the concept of invocation ID. Each time a unit is ran, it has a unique 128 bit invocation ID. Unlike MainPID which can be recycled, or ActiveEnterTimestamp which can have resolution troubles, it is a failsafe way to get all the log of a particular systemd unit invocation.

To obtain the latest invocation ID of a unit

$ systemctl show --value -p InvocationID openipmi
bd3eb84c3aa74169a3dcad2af183885b

To obtain the journal of the latest invocation of, say, openipmi, whether it failed or not, you can use the one liner

$ journalctl _SYSTEMD_INVOCATION_ID=`systemctl show -p InvocationID --value openipmi.service`
-- Logs begin at Thu 2018-07-26 12:09:57 IDT, end at Mon 2019-07-08 01:32:50 IDT. --
Jun 21 13:03:13 build03.lbits openipmi[1552]:  * Starting ipmi drivers
Jun 21 13:03:13 build03.lbits openipmi[1552]:    ...fail!
Jun 21 13:03:13 build03.lbits openipmi[1552]:    ...done.

(Note that the --value is available since systemd 230, older than InvocationID)

Ubuntu – How do view older journalctl logs (after a rotation maybe?)

It could be because you are trying to review the journal since the last boot, which seems likely to be the case inside a docker image.

On Ubuntu 16.04, the journal storage defaults to being in-memory. You can change the default to be persistent by opening /etc/systemd/journald.conf and changing the Storage= line from auto to persistent. You may need to restart journald by systemctl restart systemd-journald after the config file edit.

I think the journal should be persistent-by-default, so I opened a bug about that.

Best Answer

Related Solutions

Way to make journalctl show logs from “the last time foo.service ran”

Ubuntu – How do view older journalctl logs (after a rotation maybe?)

Related Topic