How to Retrieve and Analyze Audit Logs from Saner On-Prem Server

Overview

This document provides instructions to access and interpret audit logs from a Saner On-Prem server. It also includes a Python script to convert log timestamps (stored in Unix epoch milliseconds) into human-readable UTC and IST formats.

Use Case

Audit logs enable direct access to all critical system activity, including:

• Troubleshooting user activity (e.g., login/logout, user role changes)

• Supporting compliance audits with timestamped records of all key actions

Log Location

Audit logs are stored on the on-prem server at the following path:

To list available audit logs:

/usr/local/scaprepo/logs/

cd /usr/local/scaprepo/logs
ls | grep SanerAudit

Files are named using the format:
SanerAudit_YYYY-MM-DD.log

Example:
SanerAudit_2025-04-29.log

Accessing Logs

Log files require elevated permissions. If accessed without sufficient privileges, a "Permission denied" error will occur.

To read the log file:

sudo tail SanerAudit_YYYY-MM-DD.log

Understanding the Log Format

Example log entry:

[1745940652246] [AUDIT] [sp10baefz3fjdw3] [null] [sp10baefz3fjdw3] [10000] [10002] User logout admin@secpod.com

The timestamp in the first field is in Unix epoch milliseconds and must be converted to human-readable time for interpretation.

Timestamp Conversion Script

Use the following Python script to convert all 13-digit timestamps in log files to readable UTC and IST date-time formats.

Python Script – Convert Millisecond Timestamps to UTC/IST

import re
import os
from datetime import datetime, timedelta
from tkinter import Tk, filedialog

Tk().withdraw()

input_file = filedialog.askopenfilename(
 title="Select your .log file",
 filetypes=[("Log files", ".log"), ("All files", ".*")]
)

if not input_file:
 print("[✗] No file selected. Exiting.")
 exit()

base_name = os.path.splitext(os.path.basename(input_file))[0]
script_dir = os.path.dirname(os.path.realpath(file))
output_file = os.path.join(script_dir, f"{base_name}_converted.txt")

timestamp_pattern = re.compile(r"(\d13)(\d{13})(\d13)")

def convert_to_utc_ist(ms_timestamp):
 ts = int(ms_timestamp) / 1000.0
 utc = datetime.utcfromtimestamp(ts)
 ist = utc + timedelta(hours=5, minutes=30)
 return utc.strftime("%Y-%m-%d %H:%M:%S UTC"), ist.strftime("%Y-%m-%d %H:%M:%S IST")

with open(input_file, "r", encoding="utf-8") as infile, open(output_file, "w", encoding="utf-8") as outfile:
 for line in infile:
  match = timestamp_pattern.search(line)
  if match:
   ms_ts = match.group(1)
   utc_time, ist_time = convert_to_utc_ist(ms_ts)
   new_line = f"[{utc_time}] | [{ist_time}] | {line.strip()}\n"
  else:
   new_line = line
  outfile.write(new_line)

print(f"[✓] Converted log saved to: {output_file}")

Sample Output After Conversion

[2025-04-29 12:20:52 UTC] | [2025-04-29 17:50:52 IST] | [1745940652246] [AUDIT] User logout admin@secpod.com

Recommendations

• Always use sudo access to ensure full visibility into the logs.

• Use the conversion script for readability and documentation purposes.

  ---