1AUREPORT:(8)            System Administration Utilities           AUREPORT:(8)
2
3
4

NAME

6       aureport - a tool that produces summary reports of audit daemon logs
7

SYNOPSIS

9       aureport [options]
10

DESCRIPTION

12       aureport  is  a  tool that produces summary reports of the audit system
13       logs. The aureport utility can also take input from stdin  as  long  as
14       the  input  is the raw log data. The reports have a column label at the
15       top to help with interpretation of the various fields. Except  for  the
16       main  summary  report, all reports have the audit event number. You can
17       subsequently lookup the full event with ausearch -a event  number.  You
18       may  need  to  specify start & stop times if you get multiple hits. The
19       reports produced by aureport can be used as building  blocks  for  more
20       complicated analysis.
21
22

OPTIONS

24       -au, --auth
25              Report about authentication attempts
26
27       -a, --avc
28              Report about avc messages
29
30       --comm Report about commands run
31
32       -c, --config
33              Report about config changes
34
35       -cr, --crypto
36              Report about crypto events
37
38       -e, --event
39              Report about events
40
41       --escape option
42              This option determines if the output is escaped to make the con‐
43              tent safer for certain uses. The options are raw , tty , shell ,
44              and  shell_quote.  Each mode includes the characters of the pre‐
45              ceding mode and escapes more characters. That is  to  say  shell
46              includes all characters escaped by tty and adds more. tty is the
47              default.
48
49       -f, --file
50              Report about files and af_unix sockets
51
52       --failed
53              Only select failed events for processing  in  the  reports.  The
54              default is both success and failed events.
55
56       -h, --host
57              Report about hosts
58
59       --help Print brief command summary
60
61       -i, --interpret
62              Interpret  numeric  entities into text. For example, uid is con‐
63              verted to account name. The conversion is done using the current
64              resources  of  the machine where the search is being run. If you
65              have renamed the accounts, or don't have the  same  accounts  on
66              your machine, you could get misleading results.
67
68       -if, --input file | directory
69              Use  the given file or directory instead of the logs. This is to
70              aid analysis where the logs have been moved to  another  machine
71              or only part of a log was saved.
72
73       --input-logs
74              Use  the  log file location from auditd.conf as input for analy‐
75              sis. This is needed if you are using aureport from a cron job.
76
77       --integrity
78              Report about integrity events
79
80       -k, --key
81              Report about audit rule keys
82
83       -l, --login
84              Report about logins
85
86       -m, --mods
87              Report about account modifications
88
89       -ma, --mac
90              Report about Mandatory Access Control (MAC) events
91
92       -n, --anomaly
93              Report about anomaly events. These events include NIC going into
94              promiscuous mode and programs segfaulting.
95
96       --node node-name
97              Only  select  events  originating from node name string for pro‐
98              cessing in the reports. The default is  to  include  all  nodes.
99              Multiple nodes are allowed.
100
101       -nc, --no-config
102              Do  not  include  the  CONFIG_CHANGE event. This is particularly
103              useful for the key report because audit rules have key labels in
104              many cases. Using this option gets rid of these false positives.
105
106       -p, --pid
107              Report about processes
108
109       -r, --response
110              Report about responses to anomaly events
111
112       -s, --syscall
113              Report about syscalls
114
115       --success
116              Only select successful events for processing in the reports. The
117              default is both success and failed events.
118
119       --summary
120              Run the summary report that gives a total of the elements of the
121              main report. Not all reports have a summary.
122
123       -t, --log
124              This  option will output a report of the start and end times for
125              each log.
126
127       --tty  Report about tty keystrokes
128
129       -te, --end [end-date] [end-time]
130              Search for events with time stamps equal to or before the  given
131              end  time. The format of end time depends on your locale. If the
132              date is omitted, today is assumed. If the time is  omitted,  now
133              is assumed. Use 24 hour clock time rather than AM or PM to spec‐
134              ify time.  An  example  date  using  the  en_US.utf8  locale  is
135              09/03/2009.  An  example  of  time  is 18:00:00. The date format
136              accepted is influenced by the LC_TIME environmental variable.
137
138              You may also use the word: now, recent, boot, today,  yesterday,
139              this-week,  week-ago,  this-month, this-year. Now means starting
140              now. Recent is 10 minutes ago. Boot means the time of day to the
141              second  when  the system last booted. Today means now. Yesterday
142              is 1 second after midnight the  previous  day.  This-week  means
143              starting 1 second after midnight on day 0 of the week determined
144              by your locale (see localtime). Week-ago means  1  second  after
145              midnight  exactly  7  days  ago. This-month means 1 second after
146              midnight on day 1 of the month. This-year  means  the  1  second
147              after midnight on the first day of the first month.
148
149       -tm, --terminal
150              Report about terminals
151
152       -ts, --start [start-date] [start-time]
153              Search  for  events with time stamps equal to or after the given
154              end time. The format of end time depends on your locale. If  the
155              date  is omitted, today is assumed. If the time is omitted, mid‐
156              night is assumed. Use 24 hour clock time rather than AM or PM to
157              specify  time.  An  example  date using the en_US.utf8 locale is
158              09/03/2009. An example of time  is  18:00:00.  The  date  format
159              accepted is influenced by the LC_TIME environmental variable.
160
161              You  may also use the word: now, recent, boot, today, yesterday,
162              this-week, week-ago, this-month, this-year. Boot means the  time
163              of  day  to  the second when the system last booted. Today means
164              starting at 1 second after midnight. Recent is 10  minutes  ago.
165              Yesterday is 1 second after midnight the previous day. This-week
166              means starting 1 second after midnight on  day  0  of  the  week
167              determined by your locale (see localtime). Week-ago means start‐
168              ing 1 second after midnight exactly 7 days ago. This-month means
169              1  second  after midnight on day 1 of the month. This-year means
170              the 1 second after midnight on the first day of the first month.
171
172       -u, --user
173              Report about users
174
175       -v, --version
176              Print the version and exit
177
178       --virt Report about Virtualization events
179
180       -x, --executable
181              Report about executables
182
183

NOTE

185       The boot time option is a convenience function and has limitations. The
186       time  it  calculates  is based on time now minus /proc/uptime. If after
187       boot the system clock has been adjusted, perhaps by ntp, then the  cal‐
188       culation  may  be  wrong. In that case you'll need to fully specify the
189       time. You can check the time it would use by running:
190
191       date -d "`cut -f1 -d. /proc/uptime` seconds ago"
192
193

SEE ALSO

195       ausearch(8), auditd(8).
196
197
198
199Red Hat                           March 2017                      AUREPORT:(8)
Impressum