1AUREPORT:(8) System Administration Utilities AUREPORT:(8)
2
3
4
6 aureport - a tool that produces summary reports of audit daemon logs
7
9 aureport [options]
10
12 aureport is a tool that produces summary reports of the audit system
13 logs. The aureport utility can also take input from stdin as long as
14 the input is the raw log data. The reports have a column label at the
15 top to help with interpretation of the various fields. Except for the
16 main summary report, all reports have the audit event number. You can
17 subsequently lookup the full event with ausearch -a event number. You
18 may need to specify start & stop times if you get multiple hits. The
19 reports produced by aureport can be used as building blocks for more
20 complicated analysis.
21
22
24 -au, --auth
25 Report about authentication attempts
26
27 -a, --avc
28 Report about avc messages
29
30 --comm Report about commands run
31
32 -c, --config
33 Report about config changes
34
35 -cr, --crypto
36 Report about crypto events
37
38 -e, --event
39 Report about events
40
41 -f, --file
42 Report about files
43
44 --failed
45 Only select failed events for processing in the reports. The
46 default is both success and failed events.
47
48 -h, --host
49 Report about hosts
50
51 --help Print brief command summary
52
53 -i, --interpret
54 Interpret numeric entities into text. For example, uid is con‐
55 verted to account name. The conversion is done using the current
56 resources of the machine where the search is being run. If you
57 have renamed the accounts, or don't have the same accounts on
58 your machine, you could get misleading results.
59
60 -if, --input file | directory
61 Use the given file or directory instead of the logs. This is to
62 aid analysis where the logs have been moved to another machine
63 or only part of a log was saved.
64
65 --input-logs
66 Use the log file location from auditd.conf as input for analy‐
67 sis. This is needed if you are using aureport from a cron job.
68
69 --integrity
70 Report about integrity events
71
72 -k, --key
73 Report about audit rule keys
74
75 -l, --login
76 Report about logins
77
78 -m, --mods
79 Report about account modifications
80
81 -ma, --mac
82 Report about Mandatory Access Control (MAC) events
83
84 -n, --anomaly
85 Report about anomaly events. These events include NIC going into
86 promiscuous mode and programs segfaulting.
87
88 --node node-name
89 Only select events originating from node name string for pro‐
90 cessing in the reports. The default is to include all nodes.
91 Multiple nodes are allowed.
92
93 -nc, --no-config
94 Do not include the CONFIG_CHANGE event. This is particularly
95 useful for the key report because audit rules have key labels in
96 many cases. Using this option gets rid of these false positives.
97
98 -p, --pid
99 Report about processes
100
101 -r, --response
102 Report about responses to anomaly events
103
104 -s, --syscall
105 Report about syscalls
106
107 --success
108 Only select successful events for processing in the reports. The
109 default is both success and failed events.
110
111 --summary
112 Run the summary report that gives a total of the elements of the
113 main report. Not all reports have a summary.
114
115 -t, --log
116 This option will output a report of the start and end times for
117 each log.
118
119 --tty Report about tty keystrokes
120
121 -te, --end [end-date] [end-time]
122 Search for events with time stamps equal to or before the given
123 end time. The format of end time depends on your locale. If the
124 date is omitted, today is assumed. If the time is omitted, now
125 is assumed. Use 24 hour clock time rather than AM or PM to spec‐
126 ify time. An example date using the en_US.utf8 locale is
127 09/03/2009. An example of time is 18:00:00. The date format
128 accepted is influenced by the LC_TIME environmental variable.
129
130 You may also use the word: now, recent, today, yesterday,
131 this-week, week-ago, this-month, this-year. Today means starting
132 now. Recent is 10 minutes ago. Yesterday is 1 second after mid‐
133 night the previous day. This-week means starting 1 second after
134 midnight on day 0 of the week determined by your locale (see
135 localtime). Week-ago means 1 second after midnight exactly 7
136 days ago. This-month means 1 second after midnight on day 1 of
137 the month. This-year means the 1 second after midnight on the
138 first day of the first month.
139
140 -tm, --terminal
141 Report about terminals
142
143 -ts, --start [start-date] [start-time]
144 Search for events with time stamps equal to or after the given
145 end time. The format of end time depends on your locale. If the
146 date is omitted, today is assumed. If the time is omitted, mid‐
147 night is assumed. Use 24 hour clock time rather than AM or PM to
148 specify time. An example date using the en_US.utf8 locale is
149 09/03/2009. An example of time is 18:00:00. The date format
150 accepted is influenced by the LC_TIME environmental variable.
151
152 You may also use the word: now, recent, today, yesterday,
153 this-week, week-ago, this-month, this-year. Today means starting
154 at 1 second after midnight. Recent is 10 minutes ago. Yesterday
155 is 1 second after midnight the previous day. This-week means
156 starting 1 second after midnight on day 0 of the week determined
157 by your locale (see localtime). Week-ago means starting 1 second
158 after midnight exactly 7 days ago. This-month means 1 second
159 after midnight on day 1 of the month. This-year means the 1 sec‐
160 ond after midnight on the first day of the first month.
161
162 -u, --user
163 Report about users
164
165 -v, --version
166 Print the version and exit
167
168 --virt Report about Virtualization events
169
170 -x, --executable
171 Report about executables
172
173
175 ausearch(8), auditd(8).
176
177
178
179Red Hat Sept 2014 AUREPORT:(8)