1AUREPORT:(8) System Administration Utilities AUREPORT:(8)
2
6 aureport - a tool that produces summary reports of audit daemon logs
7
9 aureport [options]
10
12 aureport is a tool that produces summary reports of the audit system
13 logs. The aureport utility can also take input from stdin as long as
14 the input is the raw log data. The reports have a column label at the
15 top to help with interpretation of the various fields. Except for the
16 main summary report, all reports have the audit event number. You can
17 subsequently lookup the full event with ausearch -a event number. You
18 may need to specify start & stop times if you get multiple hits. The
19 reports produced by aureport can be used as building blocks for more
20 complicated analysis.
21
24 -au, --auth
25 Report about authentication attempts
26 -a, --avc
28 Report about avc messages
29 --comm Report about commands run
31 -c, --config
33 Report about config changes
34 -cr, --crypto
36 Report about crypto events
37 --eoe-timeout seconds
39 Set the end of event parsing timeout. See end_of_event_timeout
40 in auditd.conf(5) for details. Note that setting this value will
41 overide any configured value found in /etc/auditd/auditd.conf.
42 -e, --event
44 Report about events
45 --escape option
47 This option determines if the output is escaped to make the con‐
48 tent safer for certain uses. The options are raw , tty , shell ,
49 and shell_quote. Each mode includes the characters of the pre‐
50 ceding mode and escapes more characters. That is to say shell
51 includes all characters escaped by tty and adds more. tty is the
52 default.
53 -f, --file
55 Report about files and af_unix sockets
56 --failed
58 Only select failed events for processing in the reports. The
59 default is both success and failed events.
60 -h, --host
62 Report about hosts
63 --help Print brief command summary
65 -i, --interpret
67 Interpret numeric entities into text. For example, uid is con‐
68 verted to account name. The conversion is done using the current
69 resources of the machine where the search is being run. If you
70 have renamed the accounts, or don't have the same accounts on
71 your machine, you could get misleading results.
72 -if, --input file | directory
74 Use the given file or directory instead of the logs. This is to
75 aid analysis where the logs have been moved to another machine
76 or only part of a log was saved.
77 --input-logs
79 Use the log file location from auditd.conf as input for analy‐
80 sis. This is needed if you are using aureport from a cron job.
81 --integrity
83 Report about integrity events
84 -k, --key
86 Report about audit rule keys
87 -l, --login
89 Report about logins
90 -m, --mods
92 Report about account modifications
93 -ma, --mac
95 Report about Mandatory Access Control (MAC) events
96 -n, --anomaly
98 Report about anomaly events. These events include NIC going into
99 promiscuous mode and programs segfaulting.
100 --node node-name
102 Only select events originating from node name string for pro‐
103 cessing in the reports. The default is to include all nodes.
104 Multiple nodes are allowed.
105 -nc, --no-config
107 Do not include the CONFIG_CHANGE event. This is particularly
108 useful for the key report because audit rules have key labels in
109 many cases. Using this option gets rid of these false positives.
110 -p, --pid
112 Report about processes
113 -r, --response
115 Report about responses to anomaly events
116 -s, --syscall
118 Report about syscalls
119 --success
121 Only select successful events for processing in the reports. The
122 default is both success and failed events.
123 --summary
125 Run the summary report that gives a total of the elements of the
126 main report. Not all reports have a summary.
127 -t, --log
129 This option will output a report of the start and end times for
130 each log.
131 --tty Report about tty keystrokes
133 -te, --end [end-date] [end-time]
135 Search for events with time stamps equal to or before the given
136 end time. The format of end time depends on your locale. If the
137 date is omitted, today is assumed. If the time is omitted, now
138 is assumed. Use 24 hour clock time rather than AM or PM to spec‐
139 ify time. An example date using the en_US.utf8 locale is
140 09/03/2009. An example of time is 18:00:00. The date format
141 accepted is influenced by the LC_TIME environmental variable.
142 You may also use the word: now, recent, boot, today, yesterday,
144 this-week, week-ago, this-month, this-year. Now means starting
145 now. Recent is 10 minutes ago. Boot means the time of day to the
146 second when the system last booted. Today means now. Yesterday
147 is 1 second after midnight the previous day. This-week means
148 starting 1 second after midnight on day 0 of the week determined
149 by your locale (see localtime). Week-ago means 1 second after
150 midnight exactly 7 days ago. This-month means 1 second after
151 midnight on day 1 of the month. This-year means the 1 second
152 after midnight on the first day of the first month.
153 -tm, --terminal
155 Report about terminals
156 -ts, --start [start-date] [start-time]
158 Search for events with time stamps equal to or after the given
159 end time. The format of end time depends on your locale. If the
160 date is omitted, today is assumed. If the time is omitted, mid‐
161 night is assumed. Use 24 hour clock time rather than AM or PM to
162 specify time. An example date using the en_US.utf8 locale is
163 09/03/2009. An example of time is 18:00:00. The date format
164 accepted is influenced by the LC_TIME environmental variable.
165 You may also use the word: now, recent, boot, today, yesterday,
167 this-week, week-ago, this-month, this-year. Boot means the time
168 of day to the second when the system last booted. Today means
169 starting at 1 second after midnight. Recent is 10 minutes ago.
170 Yesterday is 1 second after midnight the previous day. This-week
171 means starting 1 second after midnight on day 0 of the week
172 determined by your locale (see localtime). Week-ago means start‐
173 ing 1 second after midnight exactly 7 days ago. This-month means
174 1 second after midnight on day 1 of the month. This-year means
175 the 1 second after midnight on the first day of the first month.
176 -u, --user
178 Report about users
179 -v, --version
181 Print the version and exit
182 --virt Report about Virtualization events
184 -x, --executable
186 Report about executables
187
190 The boot time option is a convenience function and has limitations. The
191 time it calculates is based on time now minus /proc/uptime. If after
192 boot the system clock has been adjusted, perhaps by ntp, then the cal‐
193 culation may be wrong. In that case you'll need to fully specify the
194 time. You can check the time it would use by running:
195 date -d "`cut -f1 -d. /proc/uptime` seconds ago"
197
200 ausearch(8), auditd(8), auditd.conf(5).
201Red Hat March 2017 AUREPORT:(8)