kevsmith/audit-search.sh

## audit-search.sh
#!/bin/bash

# Put all kernel audit messages in a log file we can search with ausearch
cat /var/log/messages | grep -o -E "audit: .*" | sed -e 's/audit: //g' > /tmp/kernel_audit.log

# Grab all failing audit entries
entries=$(cat /tmp/kernel_audit.log | grep "success=no" | grep -E "(datadog-agent|beam)" | \
              grep -o -E "audit\([0-9]+\.[0-9]+:[0-9]+\)" | cut -d: -f2 | grep -o -E "[0-9]+")

# Display human-friendly version of each entry
for e in ${entries}
do
    ausearch -if /tmp/kernel_audit.log -a ${e}
done
	#!/bin/bash

	# Put all kernel audit messages in a log file we can search with ausearch
	cat /var/log/messages \| grep -o -E "audit: .*" \| sed -e 's/audit: //g' > /tmp/kernel_audit.log

	# Grab all failing audit entries
	entries=$(cat /tmp/kernel_audit.log \| grep "success=no" \| grep -E "(datadog-agent\|beam)" \| \
	grep -o -E "audit\([0-9]+\.[0-9]+:[0-9]+\)" \| cut -d: -f2 \| grep -o -E "[0-9]+")

	# Display human-friendly version of each entry
	for e in ${entries}
	do
	ausearch -if /tmp/kernel_audit.log -a ${e}
	done