whathappened parses Linux Audit logs and reconstructs what happened — in plain language.
- Parses audit log lines or real-time netlink input (planned)
- Correlates multi-line records into sessions and events
- Narrates actions with templates and i18n
- Plugin architecture for handling AVC, SYSCALL, etc.
- Outputs pretty trees or machine-readable JSON
- Unit-tested and CI-verified with Codecov
- Supports DEB and RPM packaging
whathappened /var/log/audit/audit.log
ausearch -ts today | whathappenedmakemake testdpkg-buildpackage -us -uc
rpmbuild -ba packaging/redhat/whathappened.spec🟢 Session 1834 — user jdoe (UID 1000)
├── 📄 Executed: /usr/bin/vim /etc/passwd
│ └── CWD: /home/jdoe
├── ❌ Attempted unauthorized read: /root/secret
│ └── SELinux denial: user_t → admin_home_t (read)
└── 🌐 Downloaded remote script using curl
└── URL: http://malicious.site/payload.sh
🔚 Summary: 3 commands run, 1 SELinux denial
input/— log file or (future) netlink readersparser/— audit line parserexplain/— base explainer engineplugins/— modular type-specific explainersnarration/— template-based string generation with i18noutput/— human or JSON renderingcorrelate/— session tracker, process tree logictests/— unit tests with cmockapackaging/— DEB and RPM metadata
Unit tests are written using cmocka and run via GitHub Actions.
make test
- GCC
cmocka(libcmocka-dev)makeorcmake
make
sudo make install
Narration templates support multiple languages via templates/en.json, templates/es.json, etc.
Select language:
whathappened --lang en
- Session-level grouping
- Process tree correlation
- Multi-process activity detection (e.g., worker pools)
- Live mode via netlink audit socket
- Graphical output (DOT, HTML reports)
- Tired of deciphering raw
audit.logentries? - Need to summarize user activity or investigate an incident?
- Want to plug audit intelligence into your pipeline or SIEM?
This tool tells you what happened. In plain language.
MIT (or insert your license of choice)
PRs welcome! Unit tests are required for all new plugins or correlators.