1AUREPORT:(8) System Administration Utilities AUREPORT:(8)
2
6 aureport - a tool that produces summary reports of audit daemon logs
7
9 aureport [options]
10
12 aureport is a tool that produces summary reports of the audit system
13 logs. The aureport utility can also take input from stdin as long as
14 the input is the raw log data. The reports have a column label at the
15 top to help with interpretation of the various fields. Except for the
16 main summary report, all reports have the audit event number. You can
17 subsequently lookup the full event with ausearch -a event number. You
18 may need to specify start & stop times if you get multiple hits. The
19 reports produced by aureport can be used as building blocks for more
20 complicated analysis.
21
24 -au, --auth
25 Report about authentication attempts
26 -a, --avc
28 Report about avc messages
29 --comm Report about commands run
31 -c, --config
33 Report about config changes
34 -cr, --crypto
36 Report about crypto events
37 -e, --event
39 Report about events
40 -f, --file
42 Report about files
43 --failed
45 Only select failed events for processing in the reports. The
46 default is both success and failed events.
47 -h, --host
49 Report about hosts
50 --help Print brief command summary
52 -i, --interpret
54 Interpret numeric entities into text. For example, uid is con‐
55 verted to account name. The conversion is done using the current
56 resources of the machine where the search is being run. If you
57 have renamed the accounts, or don't have the same accounts on
58 your machine, you could get misleading results.
59 -if, --input file | directory
61 Use the given file or directory instead of the logs. This is to
62 aid analysis where the logs have been moved to another machine
63 or only part of a log was saved.
64 --input-logs
66 Use the log file location from auditd.conf as input for analy‐
67 sis. This is needed if you are using aureport from a cron job.
68 --integrity
70 Report about integrity events
71 -k, --key
73 Report about audit rule keys
74 -l, --login
76 Report about logins
77 -m, --mods
79 Report about account modifications
80 -ma, --mac
82 Report about Mandatory Access Control (MAC) events
83 -n, --anomaly
85 Report about anomaly events. These events include NIC going into
86 promiscuous mode and programs segfaulting.
87 --node node-name
89 Only select events originating from node name string for pro‐
90 cessing in the reports. The default is to include all nodes.
91 Multiple nodes are allowed.
92 -nc, --no-config
94 Do not include the CONFIG_CHANGE event. This is particularly
95 useful for the key report because audit rules have key labels in
96 many cases. Using this option gets rid of these false positives.
97 -p, --pid
99 Report about processes
100 -r, --response
102 Report about responses to anomaly events
103 -s, --syscall
105 Report about syscalls
106 --success
108 Only select successful events for processing in the reports. The
109 default is both success and failed events.
110 --summary
112 Run the summary report that gives a total of the elements of the
113 main report. Not all reports have a summary.
114 -t, --log
116 This option will output a report of the start and end times for
117 each log.
118 --tty Report about tty keystrokes
120 -te, --end [end-date] [end-time]
122 Search for events with time stamps equal to or before the given
123 end time. The format of end time depends on your locale. If the
124 date is omitted, today is assumed. If the time is omitted, now
125 is assumed. Use 24 hour clock time rather than AM or PM to spec‐
126 ify time. An example date using the en_US.utf8 locale is
127 09/03/2009. An example of time is 18:00:00. The date format
128 accepted is influenced by the LC_TIME environmental variable.
129 You may also use the word: now, recent, today, yesterday,
131 this-week, week-ago, this-month, this-year. Today means starting
132 now. Recent is 10 minutes ago. Yesterday is 1 second after mid‐
133 night the previous day. This-week means starting 1 second after
134 midnight on day 0 of the week determined by your locale (see
135 localtime). Week-ago means 1 second after midnight exactly 7
136 days ago. This-month means 1 second after midnight on day 1 of
137 the month. This-year means the 1 second after midnight on the
138 first day of the first month.
139 -tm, --terminal
141 Report about terminals
142 -ts, --start [start-date] [start-time]
144 Search for events with time stamps equal to or after the given
145 end time. The format of end time depends on your locale. If the
146 date is omitted, today is assumed. If the time is omitted, mid‐
147 night is assumed. Use 24 hour clock time rather than AM or PM to
148 specify time. An example date using the en_US.utf8 locale is
149 09/03/2009. An example of time is 18:00:00. The date format
150 accepted is influenced by the LC_TIME environmental variable.
151 You may also use the word: now, recent, today, yesterday,
153 this-week, week-ago, this-month, this-year. Today means starting
154 at 1 second after midnight. Recent is 10 minutes ago. Yesterday
155 is 1 second after midnight the previous day. This-week means
156 starting 1 second after midnight on day 0 of the week determined
157 by your locale (see localtime). Week-ago means starting 1 second
158 after midnight exactly 7 days ago. This-month means 1 second
159 after midnight on day 1 of the month. This-year means the 1 sec‐
160 ond after midnight on the first day of the first month.
161 -u, --user
163 Report about users
164 -v, --version
166 Print the version and exit
167 --virt Report about Virtualization events
169 -x, --executable
171 Report about executables
172
175 ausearch(8), auditd(8).
176Red Hat Sept 2014 AUREPORT:(8)