The local audit logs show the correct date/time for events, for example:
Code: Select all
# aureport -l -if /var/log/audit/audit.log
Login Report
============================================
# date time auid host term exe success event
============================================
1. 05/28/2017 15:25:02 -1 10.0.0.193 ssh /usr/sbin/sshd yes 90668
2. 05/29/2017 15:25:02 -1 10.0.0.193 ssh /usr/sbin/sshd yes 102556
3. 05/30/2017 15:25:01 -1 10.0.0.193 ssh /usr/sbin/sshd yes 114431
4. 05/30/2017 16:08:23 -1 10.0.0.193 /dev/pts/0 /usr/sbin/sshd yes 114827
5. 05/30/2017 16:36:09 -1 10.0.0.193 /dev/pts/0 /usr/sbin/sshd yes 115097
Code: Select all
# aureport -l -if ./ip-10-0-0-131_audit.log.old
Login Report
============================================
# date time auid host term exe success event
============================================
1. 01/18/1970 07:35:57 -1 10.0.0.193 ssh /usr/sbin/sshd yes 0
2. 01/18/1970 07:36:00 -1 10.0.0.193 /dev/pts/0 /usr/sbin/sshd yes 0
3. 01/18/1970 07:36:02 -1 10.0.0.193 /dev/pts/0 /usr/sbin/sshd yes 0
4. 01/18/1970 07:36:02 -1 10.0.0.193 /dev/pts/1 /usr/sbin/sshd yes 0
5. 01/18/1970 07:36:02 -1 10.0.0.193 /dev/pts/0 /usr/sbin/sshd yes 0
The source server time and ntpd daemon looks fine as does the remote audit/rsyslog server's. I've checked entries in the raw log, looking at the timestamp info and converting it, for example:
Code: Select all
node=ip-10-0-0-131 type=USER_LOGOUT msg=audit(1496164032.589:115477): user pid=667995 uid=0 auid=1000 ses=10326 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.0.0.131 addr=10.0.0.131 terminal=ssh res=success'
Tue May 30 17:07:12 UTC 2017
So it seems like the logs are getting the correct timestamp, but the aureport isn't converting it properly.
Even the aurport -au give a different incorrect date:
Code: Select all
# aureport -au -if ip-10-0-0-131_audit.log
Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 06/23/1970 04:00:37 ayasdi 10.0.0.193 ? /usr/sbin/sshd yes 0
2. 06/23/1970 04:00:37 ayasdi 10.0.0.193 ? /usr/sbin/sshd yes 0
3. 06/23/1970 04:00:37 ayasdi 10.0.0.193 ssh /usr/sbin/sshd yes 0
4. 06/23/1970 04:00:40 ayasdi 10.0.0.131 ? /usr/sbin/sshd yes 0
5. 06/23/1970 04:00:40 ayasdi 10.0.0.131 ? /usr/sbin/sshd yes 0
6. 06/23/1970 04:00:40 ayasdi 10.0.0.131 ssh /usr/sbin/sshd yes 0
7. 06/23/1970 04:00:53 ayasdi 10.0.0.193 ? /usr/sbin/sshd yes 0
8. 06/23/1970 04:00:53 ayasdi 10.0.0.193 ? /usr/sbin/sshd yes 0
9. 06/23/1970 04:00:53 ayasdi 10.0.0.193 ssh /usr/sbin/sshd yes 0
Any ideas or pointers on troubleshooting? I have 1 server out of 8 doing this; the rest look fine.