The aureport tool helps you to create overall summaries of what is
happening on the system, but if you are interested in the details of a
particular event, ausearch is the tool to use. ausearch allows you to
search the audit logs using special keys and search phrases that relate
to most of the flags that appear in event messages in
/var/log/audit/audit.log
. Not all record types
contain the same search phrases. There are no hostname
or uid
entries in a PATH
record,
for example. When searching, make sure that you choose appropriate search
criteria to catch all records you need. On the other hand, you could be
searching for a specific type of record and still get various other
related records along with it. This is caused by different parts of the
kernel contributing additional records for events that are related to the
one to find. For example, you would always get a PATH
record along with the SYSCALL
record for an
open system call.
![]() | Using Multiple Search Options |
---|---|
Any of the command line options can be combined with logical AND operators to narrow down your search. |
When the audit logs have moved to another machine or when you want to analyze the logs of a number of machines on your local machine without wanting to connect to each of these individually, move the logs to a local file and have ausearch search them locally:
ausearch -option
-if myfile
Some information, such as user IDs are printed in numeric form. To
convert these into human readable text format, add the
-i
option to your ausearch
command.
If you have previously run an audit report or done an autrace, you might want to analyze the trail of a particular event in the log. Most of the report types described in Section 29.5, “Understanding the Audit Logs and Generating Reports” include audit event IDs in their output. An audit event ID is the second part of an audit message ID, which consists of a UNIX epoch time stamp and the audit event ID separated by a colon. All events that are logged from one application's system call have the same event ID. Use this event ID with ausearch to retrieve this event's trail from the log.
The autrace tool asks you to review the complete trail of the command traced in the logs using ausearch. autrace provides you with the complete ausearch command including the audit event ID.
In both cases, use a command similar to the following:
ausearch -a 5207
----
time->Tue Feb 17 13:43:58 2009
type=PATH msg=audit(1234874638.599:5207): item=0 name="/var/log/audit/audit.log" inode=1219041 dev=08:06 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1234874638.599:5207): cwd="/root"
type=SYSCALL msg=audit(1234874638.599:5207): arch=c000003e syscall=2 success=yes exit=4 a0=62fb60 a1=0 a2=31 a3=0 items=1 ppid=25400 pid=25616 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1164 comm="less" exe="/usr/bin/less" key="doc_log"
The ausearch -a
command grabs all
records in the logs that are related to the audit event ID provided
and displays them. This option cannot be combined with any other
option.
To search for audit records of a particular message type, use the
ausearch -m
command.
Examples of valid message types include message_type
PATH
,
SYSCALL
, and USER_LOGIN
. Running
ausearch -m
without a message type
displays a list of all message types.
To view records associated with a particular login user ID, use the
ausearch -ul
command. It displays
any records related to the user login ID specified provided that user
had been able to log in successfully.
View records related to any of the user IDs (both user ID and
effective user ID) with ausearch
-ua
. View reports related to a particular
user ID with ausearch -ui
. Search for records
related to a particular effective user ID, use the ausearch
uid
-ue
.
Searching for a user ID means the user ID of the user creating a
process. Searching for an effective user ID means the user ID and
privileges that are required to run this process.
euid
View records related to any of the group IDs (both group ID and
effective group ID) with the ausearch
-ga
command. View reports related to a
particular user ID with ausearch -gi
. Search for records
related to a particular effective group ID, use ausearch
gid
-ge
.
egid
View records related to a certain command, using the ausearch
-c
command, for example, ausearch comm_name
-c
less
for all records related to the
less command.
View records related to a certain executable with the
ausearch -x
command, for example
ausearch exe
-x /usr/bin/less
for all
records related to the /usr/bin/less executable.
View records related to a certain system call with the
ausearch -sc
command, for
example, ausearch -sc open for all records related
to the open system call.
syscall
View records related to a certain process ID with the
ausearch -p
command, for example
ausearch pid
-p 13368
for all records
related to this process ID.
View records containing a certain system call success value with
ausearch -sv
, for
example, ausearch success_value
-sv yes
for all
successful system calls.
View records containing a certain filename with ausearch
-f
, for
example, ausearch filename
-f /foo/bar
for
all records related to the /foo/bar
file. Using
the filename alone would work as well, but using relative paths would
not.
View records of events related to a certain terminal only with
ausearch -tm
, for example,
ausearch term
-tm ssh
to view all
records related to events on the SSH terminal and ausearch
-tm tty
to view all events related to the
console.
View records related to a certain remote hostname with
ausearch -hn
, for example,
ausearch hostname
-hn jupiter.example.com
. You can
use a hostname, fully qualified domain name, or numeric network
address.
View records that contain a certain key assigned in the audit rule set
to identify events of a particular type. Use the ausearch
-k
,
for example, ausearch key_field
-k CFG_etc
to display any records containing the CFG_etc
key.
View records that contain a certain string assigned in the audit rule
set to identify events of a particular type. The whole string will be
matched on filename, hostname, and terminal. Use the ausearch
-w
.
word
Use -ts
and -te
to limit the scope
of your searches to a certain time frame. The -ts
option is used to specify the start date and time and the
-te
option is used to specify the end date and time.
These options can be combined with any of the above, except the
-a
option. The use of these options is similar to use
with aureport.