#!/usr/bin/perl
use strict;

# what do I want to look for in the audit log.
my $pattern = $ARGV[0];

# Define the audit directory if the user doesn't provide one.
my $dir = '/var/log/audit';
$dir = $ARGV[1] if scalar(@ARGV) == 2;

# Strip any trailing slash
$dir =~ s/\/$//g;

# walk through the directory and save the list of files as an array.
# find is nice because it gives you full path + executable
my @files = `sudo find $dir`;
# strip new lines from the array.
chomp(@files);

# loop through each element in the array and do something.
for my $file (@files)
{
  # declare the empty array before use
  my @arr;

  # determine if we use zgrep or grep
  # zgrep is needed for gz and grep is for regular files
  if ( $file =~ /gz$/ )
  { 
    @arr = `sudo zgrep $pattern $file`;
  }
  else
  {
    @arr = `sudo grep $pattern $file`;
  }

  # print the filename only if we found something in the file
  print "\nFile: $file\n" if ( scalar(@arr) > 0 );
  
  # for each element in the array translate epoch to human readable
  foreach(@arr)
  {
    chomp;
    # do a little regex for easy matching
    if ( /(.*msg=audit\()(\d+)(\.\d+:\d+.*)/ )
    {
      convert epoch to human readable
      my $td = scalar localtime $2;
      print "$1$td$3\n";
    }
  }
}