I like having a terminal open with dmesg so I can see the logs in real-time. However, the audit logs are quite long, and I was wondering if there was a way to filter messages (maybe with sed/awk?) before they get sent to the kernel ring buffer?
audit: type=1105 audit(166671842.234:346): pid=8324 uid=1000 auid=1000 ses=1 msg'op=PAM:session_open grantors=pam_systemd_home,pam_limits,pam_unix,pam_permit acct="root" exe="/usr/bin/sudo" hostname => addr=? terminal=/dev/pts/2 res=success
is a common one when I run sudo, but I’d like to change it to something like this:
audit: pid=8324 exe="/usr/bin/sudo" terminal=/dev/pts/2 res=success
I’ve looked online and all I’ve found are ways to silence these messages completely.
Is there any way to filter these messages (besides modifying the source code of audit and recompiling)? Or can someone suggest another utility where I can see logs in a custom format?
Read more here: Source link