aureport showing wrong date/time for login events

[smikusko]

I've enabled audit logging on a number of servers, logging to local and to a remote server.

The local audit logs show the correct date/time for events, for example:

Code: Select all

# aureport -l -if /var/log/audit/audit.log

Login Report
============================================
# date time auid host term exe success event
============================================
1. 05/28/2017 15:25:02 -1 10.0.0.193 ssh /usr/sbin/sshd yes 90668
2. 05/29/2017 15:25:02 -1 10.0.0.193 ssh /usr/sbin/sshd yes 102556
3. 05/30/2017 15:25:01 -1 10.0.0.193 ssh /usr/sbin/sshd yes 114431
4. 05/30/2017 16:08:23 -1 10.0.0.193 /dev/pts/0 /usr/sbin/sshd yes 114827
5. 05/30/2017 16:36:09 -1 10.0.0.193 /dev/pts/0 /usr/sbin/sshd yes 115097

But when I run the aureport on the logs on the remote server:

Code: Select all

# aureport -l -if ./ip-10-0-0-131_audit.log.old

Login Report
============================================
# date time auid host term exe success event
============================================
1. 01/18/1970 07:35:57 -1 10.0.0.193 ssh /usr/sbin/sshd yes 0
2. 01/18/1970 07:36:00 -1 10.0.0.193 /dev/pts/0 /usr/sbin/sshd yes 0
3. 01/18/1970 07:36:02 -1 10.0.0.193 /dev/pts/0 /usr/sbin/sshd yes 0
4. 01/18/1970 07:36:02 -1 10.0.0.193 /dev/pts/1 /usr/sbin/sshd yes 0
5. 01/18/1970 07:36:02 -1 10.0.0.193 /dev/pts/0 /usr/sbin/sshd yes 0

I get completely the wrong timestamp info. Something must be amiss with the log shipping or the way aureport is reading the audit log.

The source server time and ntpd daemon looks fine as does the remote audit/rsyslog server's. I've checked entries in the raw log, looking at the timestamp info and converting it, for example:

Code: Select all

node=ip-10-0-0-131 type=USER_LOGOUT msg=audit(1496164032.589:115477): user pid=667995 uid=0 auid=1000 ses=10326 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.0.0.131 addr=10.0.0.131 terminal=ssh res=success'

date -d @1496164032.589
Tue May 30 17:07:12 UTC 2017

So it seems like the logs are getting the correct timestamp, but the aureport isn't converting it properly.

Even the aurport -au give a different incorrect date:

Code: Select all

# aureport -au -if ip-10-0-0-131_audit.log

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 06/23/1970 04:00:37 ayasdi 10.0.0.193 ? /usr/sbin/sshd yes 0
2. 06/23/1970 04:00:37 ayasdi 10.0.0.193 ? /usr/sbin/sshd yes 0
3. 06/23/1970 04:00:37 ayasdi 10.0.0.193 ssh /usr/sbin/sshd yes 0
4. 06/23/1970 04:00:40 ayasdi 10.0.0.131 ? /usr/sbin/sshd yes 0
5. 06/23/1970 04:00:40 ayasdi 10.0.0.131 ? /usr/sbin/sshd yes 0
6. 06/23/1970 04:00:40 ayasdi 10.0.0.131 ssh /usr/sbin/sshd yes 0
7. 06/23/1970 04:00:53 ayasdi 10.0.0.193 ? /usr/sbin/sshd yes 0
8. 06/23/1970 04:00:53 ayasdi 10.0.0.193 ? /usr/sbin/sshd yes 0
9. 06/23/1970 04:00:53 ayasdi 10.0.0.193 ssh /usr/sbin/sshd yes 0

All those 06/23/1970 dates should be 05/30/2017 17:00-28. Very odd.

Any ideas or pointers on troubleshooting? I have 1 server out of 8 doing this; the rest look fine.