Convert SELinux log date format from Epoch to Normal

Question

When SELinux logs an event to the audit log on my CentOS 6 system, it's logging it in epoch time which makes for a real hassle when trying to troubleshoot. Is there any way to make it log these events using human readable date formats? I've looked through the conf files and googled around but can't seem to find anything on it.

score 4 · Accepted Answer · answered Nov 04 '11 at 16:17

4

I don't think there are any configuration options, but I found a script that will prepend human readable times:

egrep '^type=(AVC|SELINUX)' /var/log/audit/audit.log |
while read line; do
   time=`echo $line | sed 's/.*audit(\([0-9]*\).*/\1/'`;
   echo `date -d @$time` $line;
done

Source: http://blog.commandlinekungfu.com/2010/08/episode-106-epoch-fail.html

answered Nov 04 '11 at 16:17

Rsaesha

360
3
11

Thanks. The script works really well! Also, +1 for quanta's script, which works as well just not as much filtering. I was hoping there was a way to make it just write the normal date format when logging but that doesn't seem to be an available option. – Safado Nov 04 '11 at 17:11

quanta · Answer 2 · 2011-11-04T17:14:17.897

3

You can use ausearch with -i option to interpret results to be human readable:

# grep -i avc /var/log/audit/audit.log | ausearch -i

Perl code:

# tail -f /var/log/audit/audit.log | perl -pe 's/(\d+)/localtime($1)/e'

edited Nov 04 '11 at 17:14

answered Nov 04 '11 at 16:53

quanta

51,413
19
159
217

score 1 · Answer 3 · answered Sep 23 '19 at 06:27

You can use sed and date commands to convert datetime then to format it.

tail -f /var/log/audit/audit.log | sed -re 's/(^.+)([0-9]{10})(.+$)/echo "\1"`date -d @\2 +%Y-%m-%d_%H:%M:%S`"\3"/e'

the same using perl:

tail -f /var/log/audit/audit.log | perl -pe 's/(\d{10})/`echo -n \`date -d \@$1 +%Y-%m-%d_%H:%M:%S\``/e'

Convert SELinux log date format from Epoch to Normal

3 Answers3