Querying the Audit Daemon Logs with ausearch

The aureport tool helps you to create overall summaries of what is happening on the system, but if you are interested in the details of a particular event, ausearch is the tool to use. ausearch allows you to search the audit logs using special keys and search phrases that relate to most of the flags that appear in event messages in /var/log/audit/audit.log. Not all record types contain the same search phrases. There are no hostname or uid entries in a PATH record, for example. When searching, make sure that you choose appropriate search criteria to catch all records you need. On the other hand, you could be searching for a specific type of record and still get various other related records along with it. This is caused by different parts of the kernel contributing additional records for events that are related to the one to find. For example, you would always get a PATH record along with the SYSCALL record for an open system call.

[Tip]Using Multiple Search Options

Any of the command line options can be combined with logical AND operators to narrow down your search.

Read Audit Logs from Another File

When the audit logs have moved to another machine or when you want to analyze the logs of a number of machines on your local machine without wanting to connect to each of these individually, move the logs to a local file and have ausearch search them locally:

ausearch -option -if myfile
Convert Numeric Results into Text

Some information, such as user IDs are printed in numeric form. To convert these into human readable text format, add the -i option to your ausearch command.

Search by Audit Event ID

If you have previously run an audit report or done an autrace, you might want to analyze the trail of a particular event in the log. Most of the report types described in Section 29.5, “Understanding the Audit Logs and Generating Reports” include audit event IDs in their output. An audit event ID is the second part of an audit message ID, which consists of a UNIX epoch time stamp and the audit event ID separated by a colon. All events that are logged from one application's system call have the same event ID. Use this event ID with ausearch to retrieve this event's trail from the log.

The autrace tool asks you to review the complete trail of the command traced in the logs using ausearch. autrace provides you with the complete ausearch command including the audit event ID.

In both cases, use a command similar to the following:

ausearch -a 5207
----
time->Tue Feb 17 13:43:58 2009
type=PATH msg=audit(1234874638.599:5207): item=0 name="/var/log/audit/audit.log" inode=1219041 dev=08:06 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1234874638.599:5207):  cwd="/root"
type=SYSCALL msg=audit(1234874638.599:5207): arch=c000003e syscall=2 success=yes exit=4 a0=62fb60 a1=0 a2=31 a3=0 items=1 ppid=25400 pid=25616 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1164 comm="less" exe="/usr/bin/less" key="doc_log"

The ausearch -a command grabs all records in the logs that are related to the audit event ID provided and displays them. This option cannot be combined with any other option.

Search by Message Type

To search for audit records of a particular message type, use the ausearch -m message_type command. Examples of valid message types include PATH, SYSCALL, and USER_LOGIN. Running ausearch -m without a message type displays a list of all message types.

Search by Login ID

To view records associated with a particular login user ID, use the ausearch -ul command. It displays any records related to the user login ID specified provided that user had been able to log in successfully.

Search by User ID

View records related to any of the user IDs (both user ID and effective user ID) with ausearch -ua. View reports related to a particular user ID with ausearch -ui uid. Search for records related to a particular effective user ID, use the ausearch -ue euid. Searching for a user ID means the user ID of the user creating a process. Searching for an effective user ID means the user ID and privileges that are required to run this process.

Search by Group ID

View records related to any of the group IDs (both group ID and effective group ID) with the ausearch -ga command. View reports related to a particular user ID with ausearch -gi gid. Search for records related to a particular effective group ID, use ausearch -ge egid.

Search by Command Line Name

View records related to a certain command, using the ausearch -c comm_name command, for example, ausearch -c less for all records related to the less command.

Search by Executable Name

View records related to a certain executable with the ausearch -x exe command, for example ausearch -x /usr/bin/less for all records related to the /usr/bin/less executable.

Search by System Call Name

View records related to a certain system call with the ausearch -sc syscall command, for example, ausearch -sc open for all records related to the open system call.

Search by Process ID

View records related to a certain process ID with the ausearch -p pid command, for example ausearch -p 13368 for all records related to this process ID.

Search by Event or System Call Success Value

View records containing a certain system call success value with ausearch -sv success_value, for example, ausearch -sv yes for all successful system calls.

Search by Filename

View records containing a certain filename with ausearch -f filename, for example, ausearch -f /foo/bar for all records related to the /foo/bar file. Using the filename alone would work as well, but using relative paths would not.

Search by Terminal

View records of events related to a certain terminal only with ausearch -tm term, for example, ausearch -tm ssh to view all records related to events on the SSH terminal and ausearch -tm tty to view all events related to the console.

Search by Hostname

View records related to a certain remote hostname with ausearch -hn hostname, for example, ausearch -hn jupiter.example.com. You can use a hostname, fully qualified domain name, or numeric network address.

Search by Key Field

View records that contain a certain key assigned in the audit rule set to identify events of a particular type. Use the ausearch -k key_field, for example, ausearch -k CFG_etc to display any records containing the CFG_etc key.

Search by Word

View records that contain a certain string assigned in the audit rule set to identify events of a particular type. The whole string will be matched on filename, hostname, and terminal. Use the ausearch -w word.

Limit a Search to a Certain Time Frame

Use -ts and -te to limit the scope of your searches to a certain time frame. The -ts option is used to specify the start date and time and the -te option is used to specify the end date and time. These options can be combined with any of the above, except the -a option. The use of these options is similar to use with aureport.