Example of parsing file audit logs with python

You can use a program to parse the JSON of file audit logging to get information about specific attributes.

The file audit logs files include individual JSON objects, but they do not include arrays. The following example is a Python 3 program that can be used to point to the audit logs, read each object, and print specific information. In the example, the code is parsing for just the event-type, event-time, file-owner, and file-path:

import json
import sys

# open the audit log file
fName="/tmp/fileAuditLog"
try:
  fn = open(fName, 'r')
except IOError:
  print ('ERROR: Opening file', fName, '\n')
  sys.exit(1)

# read the file line by line and display the relevant events: Event-type, event-time, file-owner, file-path
i = 0
for line in fn:
  obj = json.loads(line)
  if i == 0:
    print ("\n{:10} {:26} {:6} {}".format("Event", "Event-time", "Owner", "Path"))
    print ('---------------------------------------------------------------------------------------------')
  print ("{:10} {:26} {:6} {}".format(obj["event"], obj["eventTime"], obj["ownerUserId"], obj["path"]))
  i = i + 1

Note: There are many open source JSON parsers. There are currently no restrictions on using other parsing programs.