2.6 KiB
| title | date | menu | ||||
|---|---|---|---|---|---|---|
| Audit Parser | 2018-12-17 |
|
Audit Parser tool can be used for querying the ozone audit logs. This tool creates a sqllite database at the specified path. If the database already exists, it will avoid creating a database.
The database contains only one table called audit defined as:
CREATE TABLE IF NOT EXISTS audit ( datetime text, level varchar(7), logger varchar(7), user text, ip text, op text, params text, result varchar(7), exception text, UNIQUE(datetime,level,logger,user,ip,op,params,result))
Usage: {{< highlight bash >}} ozone auditparser [COMMAND] [PARAM] {{< /highlight >}}
To load an audit log to database: {{< highlight bash >}} ozone auditparser load {{< /highlight >}} Load command creates the audit table described above.
To run a custom read-only query: {{< highlight bash >}} ozone auditparser query {{< /highlight >}} Audit Parser comes with a set of templates(most commonly used queries). To run a template query: {{< highlight bash >}} ozone auditparser template {{< /highlight >}} Following templates are available: Template Name Description SQL top5users Top 5 users select user,count(*) as total from audit group by user order by total DESC limit 5 top5cmds Top 5 commands select op,count(*) as total from audit group by op order by total DESC limit 5 top5activetimebyseconds Top 5 active times, grouped by seconds select substr(datetime,1,charindex(',',datetime)-1) as dt,count(*) as thecount from audit group by dt order by thecount DESC limit 5