Use audit-explain tool
You can use the
audit-explain tool to translate the audit messages in the audit log into an easy-to-read format.
You must have specific access permissions.
You must have the
You must know the IP address of the primary Admin Node.
audit-explain tool, available on the primary Admin Node, provides simplified summaries of the audit messages in an audit log.
This example shows typical output from the
audit-explain tool. These four SPUT audit messages were generated when the S3 tenant with account ID 92484777680322627870 used S3 PUT requests to create a bucket named "bucket1" and add three objects to that bucket.
SPUT S3 PUT bucket bucket1 account:92484777680322627870 usec:124673 SPUT S3 PUT object bucket1/part1.txt tenant:92484777680322627870 cbid:9DCB157394F99FE5 usec:101485 SPUT S3 PUT object bucket1/part2.txt tenant:92484777680322627870 cbid:3CFBB07AB3D32CA9 usec:102804 SPUT S3 PUT object bucket1/part3.txt tenant:92484777680322627870 cbid:5373D73831ECC743 usec:93874
audit-explain tool can process plain or compressed audit logs. For example:
audit-explain tool can also process multiple files at once. For example:
audit-explain audit.log 2019-08-12.txt.gz 2019-08-13.txt.gz
audit-explain tool can accept input from a pipe, which allows you to filter and preprocess the input using the
grep command or other means. For example:
grep SPUT audit.log | audit-explain
grep bucket-name audit.log | audit-explain
Since audit logs can be very large and slow to parse, you can save time by filtering parts that you want to look at and running
audit-explain on the parts, instead of the entire file.
zcat audit.log.gz | audit-explain
help (-h) option to see the available options. For example:
$ audit-explain -h
Log in to the primary Admin Node:
Enter the following command:
Enter the password listed in the
Enter the following command, where
/var/local/audit/export/audit.logrepresents the name and the location of the file or files you want to analyze:
$ audit-explain /var/local/audit/export/audit.log
audit-explaintool prints human-readable interpretations of all messages in the specified file or files.
To reduce line lengths and to aid readability, timestamps are not shown by default. If you want to see the timestamps, use the timestamp (