1AUSEARCH:(8) System Administration Utilities AUSEARCH:(8)
2
6 ausearch - a tool to query audit daemon logs
7
9 ausearch [options]
10
12 ausearch is a tool that can query the audit daemon logs based for
13 events based on different search criteria. The ausearch utility can
14 also take input from stdin as long as the input is the raw log data.
15 Each commandline option given forms an "and" statement. For example,
16 searching with -m and -ui means return events that have both the
17 requested type and match the user id given. An exception is the -n
18 option; multiple nodes are allowed in a search which will return any
19 matching node.
20 It should also be noted that each syscall excursion from user space
22 into the kernel and back into user space has one event ID that is
23 unique. Any auditable event that is triggered during this trip share
24 this ID so that they may be correlated.
25 Different parts of the kernel may add supplemental records. For exam‐
27 ple, an audit event on the syscall "open" will also cause the kernel to
28 emit a PATH record with the file name. The ausearch utility will
29 present all records that make up one event together. This could mean
30 that even though you search for a specific kind of record, the result‐
31 ing events may contain SYSCALL records.
32 Also be aware that not all record types have the requested information.
34 For example, a PATH record does not have a hostname or a loginuid.
35
38 -a, --event audit-event-id
39 Search for an event based on the given event ID. Messages always
40 start with something like msg=audit(1116360555.329:2401771). The
41 event ID is the number after the ':'. All audit events that are
42 recorded from one application's syscall have the same audit
43 event ID. A second syscall made by the same application will
44 have a different event ID. This way they are unique.
45 --arch CPU
47 Search for events based on a specific CPU architecture. If you
48 do not know the arch of your machine but you want to use the 32
49 bit syscall table and your machine supports 32 bits, you can
50 also use b32 for the arch. The same applies to the 64 bit
51 syscall table, you can use b64. The arch of your machine can be
52 found by doing 'uname -m'.
53 -c, --comm comm-name
55 Search for an event based on the given comm name. The comm name
56 is the executable's name from the task structure.
57 --debug
59 Write malformed events that are skipped to stderr.
60 --checkpoint checkpoint-file
62 Checkpoint the output between successive invocations of ausearch
63 such that only events not previously output will print in subse‐
64 quent invocations.
65 An auditd event is made up of one or more records. When process‐
67 ing events, ausearch defines events as either complete or in-
68 complete. A complete event is either a single record event or
69 one whose event time occurred 2 seconds in the past compared to
70 the event being currently processed.
71 A checkpoint is achieved by recording the last completed event
73 output along with the device number and inode of the file the
74 last completed event appeared in checkpoint-file. On a subse‐
75 quent invocation, ausearch will load this checkpoint data and as
76 it processes the log files, it will discard all complete events
77 until it matches the checkpointed one. At this point, it will
78 start outputting complete events.
79 Should the file or the last checkpointed event not be found, one
81 of a number of errors will result and ausearch will terminate.
82 See EXIT STATUS for detail.
83 -e, --exit exit-code-or-errno
86 Search for an event based on the given syscall exit code or
87 errno.
88 -f, --file file-name
90 Search for an event based on the given filename.
91 -ga, --gid-all all-group-id
93 Search for an event with either effective group ID or group ID
94 matching the given group ID.
95 -ge, --gid-effective effective-group-id
97 Search for an event with the given effective group ID or group
98 name.
99 -gi, --gid group-id
101 Search for an event with the given group ID or group name.
102 -h, --help
104 Help
105 -hn, --host host-name
107 Search for an event with the given host name. The hostname can
108 be either a hostname, fully qualified domain name, or numeric
109 network address. No attempt is made to resolve numeric addresses
110 to domain names or aliases.
111 -i, --interpret
113 Interpret numeric entities into text. For example, uid is con‐
114 verted to account name. The conversion is done using the current
115 resources of the machine where the search is being run. If you
116 have renamed the accounts, or don't have the same accounts on
117 your machine, you could get misleading results.
118 -if, --input file-name | directory
120 Use the given file or directory instead of the logs. This is to
121 aid analysis where the logs have been moved to another machine
122 or only part of a log was saved.
123 --input-logs
125 Use the log file location from auditd.conf as input for search‐
126 ing. This is needed if you are using ausearch from a cron job.
127 --just-one
129 Stop after emitting the first event that matches the search cri‐
130 teria.
131 -k, --key key-string
133 Search for an event based on the given key string.
134 -l, --line-buffered
136 Flush output on every line. Most useful when stdout is connected
137 to a pipe and the default block buffering strategy is undesir‐
138 able. May impose a performance penalty.
139 -m, --message message-type | comma-sep-message-type-list
141 Search for an event matching the given message type. You may
142 also enter a comma separated list of message types. There is an
143 ALL message type that doesn't exist in the actual logs. It
144 allows you to get all messages in the system. The list of valid
145 messages types is long. The program will display the list when‐
146 ever no message type is passed with this parameter. The message
147 type can be either text or numeric. If you enter a list, there
148 can be only commas and no spaces separating the list.
149 -n, --node node-name
151 Search for events originating from node name string. Multiple
152 nodes are allowed, and if any nodes match, the event is matched.
153 -o, --object SE-Linux-context-string
155 Search for event with tcontext (object) matching the string.
156 -p, --pid process-id
158 Search for an event matching the given process ID.
159 -pp, --ppid parent-process-id
161 Search for an event matching the given parent process ID.
162 -r, --raw
164 Output is completely unformatted. This is useful for extracting
165 records that can still be interpreted by audit tools.
166 -sc, --syscall syscall-name-or-value
168 Search for an event matching the given syscall. You may either
169 give the numeric syscall value or the syscall name. If you give
170 the syscall name, it will use the syscall table for the machine
171 that you are using.
172 -se, --context SE-Linux-context-string
174 Search for event with either scontext/subject or tcontext/object
175 matching the string.
176 --session Login-Session-ID
178 Search for events matching the given Login Session ID. This
179 process attribute is set when a user logs in and can tie any
180 process to a particular user login.
181 -su, --subject SE-Linux-context-string
183 Search for event with scontext (subject) matching the string.
184 -sv, --success success-value
186 Search for an event matching the given success value. Legal val‐
187 ues are yes and no.
188 -te, --end [end-date] [end-time]
190 Search for events with time stamps equal to or before the given
191 end time. The format of end time depends on your locale. If the
192 date is omitted, today is assumed. If the time is omitted, now
193 is assumed. Use 24 hour clock time rather than AM or PM to spec‐
194 ify time. An example date using the en_US.utf8 locale is
195 09/03/2009. An example of time is 18:00:00. The date format
196 accepted is influenced by the LC_TIME environmental variable.
197 You may also use the word: now, recent, today, yesterday,
199 this-week, week-ago, this-month, or this-year. Today means
200 starting now. Recent is 10 minutes ago. Yesterday is 1 second
201 after midnight the previous day. This-week means starting 1 sec‐
202 ond after midnight on day 0 of the week determined by your
203 locale (see localtime). Week-ago means 1 second after midnight
204 exactly 7 days ago. This-month means 1 second after midnight on
205 day 1 of the month. This-year means the 1 second after midnight
206 on the first day of the first month.
207 -ts, --start [start-date] [start-time]
209 Search for events with time stamps equal to or after the given
210 start time. The format of start time depends on your locale. If
211 the date is omitted, today is assumed. If the time is omitted,
212 midnight is assumed. Use 24 hour clock time rather than AM or PM
213 to specify time. An example date using the en_US.utf8 locale is
214 09/03/2009. An example of time is 18:00:00. The date format
215 accepted is influenced by the LC_TIME environmental variable.
216 You may also use the word: now, recent, today, yesterday,
218 this-week, week-ago, this-month, this-year, or checkpoint. Today
219 means starting at 1 second after midnight. Recent is 10 minutes
220 ago. Yesterday is 1 second after midnight the previous day.
221 This-week means starting 1 second after midnight on day 0 of the
222 week determined by your locale (see localtime). Week-ago means
223 starting 1 second after midnight exactly 7 days ago. This-month
224 means 1 second after midnight on day 1 of the month. This-year
225 means the 1 second after midnight on the first day of the first
226 month.
227 checkpoint means ausearch will use the timestamp found within a
229 valid checkpoint file ignoring the recorded inode, device,
230 serial, node and event type also found within a checkpoint file.
231 Essentially, this is the recovery action should an invocation of
232 ausearch with a checkpoint option fail with an exit status of
233 10, 11 or 12. It could be used in a shell script something like:
234 ausearch --checkpoint /etc/audit/auditd_checkpoint.txt -i
236 _au_status=$?
237 if test ${_au_status} eq 10 -o ${_au_status} eq 11 -o ${_au_status} eq 12
238 then
239 ausearch --checkpoint /etc/audit/auditd_checkpoint.txt --start checkpoint -i
240 fi
241 -tm, --terminal terminal
243 Search for an event matching the given terminal value. Some dae‐
244 mons such as cron and atd use the daemon name for the terminal.
245 -ua, --uid-all all-user-id
247 Search for an event with either user ID, effective user ID, or
248 login user ID (auid) matching the given user ID.
249 -ue, --uid-effective effective-user-id
251 Search for an event with the given effective user ID.
252 -ui, --uid user-id
254 Search for an event with the given user ID.
255 -ul, --loginuid login-id
257 Search for an event with the given login user ID. All entry
258 point programs that are pamified need to be configured with
259 pam_loginuid required for the session for searching on loginuid
260 (auid) to be accurate.
261 -uu, --uuid guest-uuid
263 Search for an event with the given guest UUID.
264 -v, --version
266 Print the version and exit
267 -vm, --vm-name guest-name
269 Search for an event with the given guest name.
270 -w, --word
272 String based matches must match the whole word. This category of
273 matches include: filename, hostname, terminal, and SE Linux con‐
274 text.
275 -x, --executable executable
277 Search for an event matching the given executable name.
278
281 0 if OK,
282 1 if nothing found, or argument errors or minor file acces/read
284 errors,
285 10 invalid checkpoint data found in checkpoint file,
287 11 checkpoint processing error
289 12 checkpoint event not found in matching log file
291
293 auditd(8), pam_loginuid(8).
294Red Hat Sept 2009 AUSEARCH:(8)