Audit Parser

Audit Parser tool can be used for querying the ozone audit logs. This tool creates a sqlite database at the specified path. If the database already exists, it will avoid creating a database.

The database contains only one table called audit defined as:

CREATE TABLE IF NOT EXISTS audit ( datetime text, level varchar(7), logger varchar(7), user text, ip text, op text, params text, result varchar(7), exception text, UNIQUE(datetime,level,logger,user,ip,op,params,result))

Usage:

ozone auditparser <path to db file> [COMMAND] [PARAM]

To load an audit log to database:

ozone auditparser <path to db file> load <path to audit log>
Load command creates the audit table described above.

To run a custom read-only query:

ozone auditparser <path to db file> query <select query enclosed within double quotes>

Audit Parser comes with a set of templates(most commonly used queries).

To run a template query:

ozone auditparser <path to db file> template <templateName>

Following templates are available:

Template Name Description SQL
top5users Top 5 users select user,count(*) as total from audit group by user order by total DESC limit 5
top5cmds Top 5 commands select op,count(*) as total from audit group by op order by total DESC limit 5
top5activetimebyseconds Top 5 active times, grouped by seconds select substr(datetime,1,charindex(’,’,datetime)-1) as dt,count(*) as thecount from audit group by dt order by thecount DESC limit 5
Next >>