How do you sort through specific Event IDs in audit logs?

I know the answer is to use ausearch from a command line.  According to the ausearch man entry, the Event ID comes after the ":" in the msg=audit line entry.  As an example, msg=audit(1116360555.329:2401771) would mean that "2401771" is the Event ID.  But in looking though the audit.logs, it seems as if that number is simply a sequential marker.  Also, I've searched the Internet to try and find something more about Linux audit.log files but everything seems to be geared towards Windows Event IDs.

For instance, we would like to be able to see if a user has tried to access a file they are not authorized to open.  What Event ID would that be and how would we use ausearch to look for such events?

Is there a listing somewhere which gives the definitions of each individual Event ID and how to interpret them so that we can sort on specific events rather than having to cull though each 8M audit.log file?
L3MSAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
chris_calabreseConnect With a Mentor Commented:
Linux/Unix audit logs do not contain Event IDs in the same sense as Windows logs. That makes them a bit more difficult to parse though, but it also allows them to be more flexible in handling corner cases that the log system designers didn't think about ahead of time.

I haven't worked with Linux kernel audit logs so I can't give any specifics, but typically your best bet will be to write a Perl script that parses through the logs and pulls out the info you're interested in.
0
 
kblack05Connect With a Mentor Commented:
Perhaps you should consider a logging interface such as Splunk, which can help you make MUCH more sense of your log files: http://www.splunk.com/
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.