Home / server / Questions / 327846
Accepted
Safado
Asked: 2011-11-05 07:45:38 +0800 CST

Convert SELinux log date format from Epoch to Normal

  • 772

When SELinux logs an event to the audit log on my CentOS 6 system, it's logging it in epoch time which makes for a real hassle when trying to troubleshoot. Is there any way to make it log these events using human readable date formats? I've looked through the conf files and googled around but can't seem to find anything on it.

selinux epoch-time date

3 Answers

  1. Best Answer

    I don't think there are any configuration options, but I found a script that will prepend human readable times:

    egrep '^type=(AVC|SELINUX)' /var/log/audit/audit.log |
while read line; do
   time=`echo $line | sed 's/.*audit(\([0-9]*\).*/\1/'`;
   echo `date -d @$time` $line;
done

    Source: http://blog.commandlinekungfu.com/2010/08/episode-106-epoch-fail.html

    • 4

  2. You can use ausearch with -i option to interpret results to be human readable:

    # grep -i avc /var/log/audit/audit.log | ausearch -i

    Perl code:

    # tail -f /var/log/audit/audit.log | perl -pe 's/(\d+)/localtime($1)/e'
    • 3

  3. You can use sed and date commands to convert datetime then to format it.

    tail -f /var/log/audit/audit.log | sed -re 's/(^.+)([0-9]{10})(.+$)/echo "\1"`date -d @\2 +%Y-%m-%d_%H:%M:%S`"\3"/e'

    the same using perl:

    tail -f /var/log/audit/audit.log | perl -pe 's/(\d{10})/`echo -n \`date -d \@$1 +%Y-%m-%d_%H:%M:%S\``/e'
    • 1