More About the Audit Files

Each audit file is a self-contained collection of records; the file's name identifies the time span during which the records were generated and the machine that generated them.

Audit File Naming

Audit files that are complete have names of the following form:

start-time.finish-time.machine 

where start-time is the time of the first audit record in the audit file, finish-time is the time of the last record, and machine is the name of the machine that generated the file. An example of these names can be found in "Example of a Closed Audit File Name".

If the audit log file is still active, it has a name of the following form:

start-time.not_terminated.machine

How Audit File Names Are Used

The file name time stamps are used by auditreduce to locate files containing records for the specific time range that has been requested; this is important because there may be a month's supply or more of audit files on line, and searching them all for records generated in the last 24 hours would be unacceptably expensive.

Time-Stamp Format and Interpretation

The start-time and end-time are time stamps with one-second resolution; they are specified in Greenwich mean time. The format is four digits for the year, followed by two for each month, day, hour, minute, and second, as shown below.

YYYYMMDDHHMMSS

The time stamps are in GMT to ensure that they will sort in proper order even across a daylight savings time boundary. Because they are in GMT, the date and hour must be translated to the current time zone to be meaningful; beware of this whenever manipulating these files with standard file commands rather than with auditreduce.

Example of a File Name for a Still-Active File

The format of a file name of a still-active file is shown below:

YYYYMMDDHHMMSS.not_terminated.hostname

Here is an example:

19900327225243.not_terminated.lazy

The audit log files are named by the beginning date, so the example above was started in 1990, on March 27, at 10:52:43 p.m, GMT. The not_terminated in the file name means either that the file is still active or that auditd was unexpectedly interrupted. The name lazy at the end is the host name whose audit data is being collected.

Example of a Closed Audit File Name

The format of the name of a closed audit log file is shown below:

YYYYMMDDHHMMSS.YYYYMMDDHHMMSS.hostname

Here is an example:

19900320005243.19900327225351.lazy

The example above was started in 1990, on March 20, at 12:52:43 a.m., GMT. The file was closed March 27, at 10:53:51 p.m., GMT. The name lazy at the end is the host name of the machine whose audit data is being collected.

Whenever auditd is unexpectedly interrupted, the audit file open at the time gets the not_terminated end file name time stamp. Also, when a machine is writing to a remotely mounted audit file and the file server crashes or becomes inaccessible, the not_terminated end time stamp remains in the current file's name. The audit daemon opens a new audit file and keeps the old name intact.