1AUSEARCH:(8) System Administration Utilities AUSEARCH:(8)
2
3
4
6 ausearch - a tool to query audit daemon logs
7
9 ausearch [options]
10
12 ausearch is a tool that can query the audit daemon logs based for
13 events based on different search criteria. The ausearch utility can
14 also take input from stdin as long as the input is the raw log data.
15 Each commandline option given forms an "and" statement. For example,
16 searching with -m and -ui means return events that have both the
17 requested type and match the user id given. An exception is the -m and
18 -n options; multiple record types and nodes are allowed in a search
19 which will return any matching node and record.
20
21 It should also be noted that each syscall excursion from user space
22 into the kernel and back into user space has one event ID that is
23 unique. Any auditable event that is triggered during this trip share
24 this ID so that they may be correlated.
25
26 Different parts of the kernel may add supplemental records. For exam‐
27 ple, an audit event on the syscall "open" will also cause the kernel to
28 emit a PATH record with the file name. The ausearch utility will
29 present all records that make up one event together. This could mean
30 that even though you search for a specific kind of record, the result‐
31 ing events may contain SYSCALL records.
32
33 Also be aware that not all record types have the requested information.
34 For example, a PATH record does not have a hostname or a loginuid.
35
36
38 -a, --event audit-event-id
39 Search for an event based on the given event ID. Messages always
40 start with something like msg=audit(1116360555.329:2401771). The
41 event ID is the number after the ':'. All audit events that are
42 recorded from one application's syscall have the same audit
43 event ID. A second syscall made by the same application will
44 have a different event ID. This way they are unique.
45
46 --arch CPU
47 Search for events based on a specific CPU architecture. If you
48 do not know the arch of your machine but you want to use the 32
49 bit syscall table and your machine supports 32 bits, you can
50 also use b32 for the arch. The same applies to the 64 bit
51 syscall table, you can use b64. The arch of your machine can be
52 found by doing 'uname -m'.
53
54 -c, --comm comm-name
55 Search for an event based on the given comm name. The comm name
56 is the executable's name from the task structure.
57
58 --debug
59 Write malformed events that are skipped to stderr.
60
61 --checkpoint checkpoint-file
62 Checkpoint the output between successive invocations of ausearch
63 such that only events not previously output will print in subse‐
64 quent invocations.
65
66 An auditd event is made up of one or more records. When process‐
67 ing events, ausearch defines events as either complete or in-
68 complete. A complete event is either a single record event or
69 one whose event time occurred 2 seconds in the past compared to
70 the event being currently processed.
71
72 A checkpoint is achieved by recording the last completed event
73 output along with the device number and inode of the file the
74 last completed event appeared in checkpoint-file. On a subse‐
75 quent invocation, ausearch will load this checkpoint data and as
76 it processes the log files, it will discard all complete events
77 until it matches the checkpointed one. At this point, it will
78 start outputting complete events.
79
80 Should the file or the last checkpointed event not be found, one
81 of a number of errors will result and ausearch will terminate.
82 See EXIT STATUS for detail.
83
84
85 -e, --exit exit-code-or-errno
86 Search for an event based on the given syscall exit code or
87 errno.
88
89 --escape option
90 This option determines if the output is escaped to make the con‐
91 tent safer for certain uses. The options are raw , tty , shell ,
92 and shell_quote. Each mode includes the characters of the pre‐
93 ceding mode and escapes more characters. That is to say shell
94 includes all characters escaped by tty and adds more. tty is the
95 default.
96
97 --extra-keys
98 When the format mode is csv, this option will add a final column
99 with key information if its exists for the event. This would
100 only occur on SYSCALL records which were the result of trigger‐
101 ing an audit rule that defines a key.
102
103 --extra-labels
104 When the format mode is csv, this option will add columns of
105 information about subject and object labels when they exist.
106
107 --extra-obj2
108 When the format mode is csv, this option will add columns of
109 information about a second object when it exists. It's rare that
110 a second object is part of a record. Some examples are when a
111 file is renamed from one name to another or when a device is
112 mounted to a path.
113
114 --extra-time
115 When the format mode is csv, this option will add columns of
116 information about broken down time to make subsetting easier.
117
118 -f, --file file-name
119 Search for an event based on the given filename. The argument
120 will match normal files as well as af_unix sockets.
121
122 --format option
123 Events that match the search criteria are formatted using this
124 option. The supported formats are: raw, default, interpret, csv,
125 and text. The raw option is described under the --raw command
126 line option. The default option is what you get when no format‐
127 ting options are passed. It includes one line as a visual sepa‐
128 rator which indicates the time stamp and then the records of the
129 event follow. The interpret option is explained under the -i
130 command line option. The csv option outputs the results of the
131 search as a normalized event in comma separated value (CSV) for‐
132 mat suitable for import into analytical programs. The text
133 option turns the event into an English sentence that is easier
134 to understand than other options, but it comes at the expense of
135 loss of detail. In most cases this is perfectly fine since the
136 original event still retains all the original information.
137
138 -ga, --gid-all all-group-id
139 Search for an event with either effective group ID or group ID
140 matching the given group ID.
141
142 -ge, --gid-effective effective-group-id
143 Search for an event with the given effective group ID or group
144 name.
145
146 -gi, --gid group-id
147 Search for an event with the given group ID or group name.
148
149 -h, --help
150 Help
151
152 -hn, --host host-name
153 Search for an event with the given host name. The hostname can
154 be either a hostname, fully qualified domain name, or numeric
155 network address. No attempt is made to resolve numeric addresses
156 to domain names or aliases. This search typically correlates to
157 the addr or host field of audit events. Also see the --node com‐
158 mand which searches the node field.
159
160 -i, --interpret
161 Interpret numeric entities into text. For example, uid is con‐
162 verted to account name. If the audit logs are unenriched, the
163 conversion is done using the current resources of the machine
164 where the search is being run. If you have renamed the accounts,
165 or don't have the same accounts on your machine, you could get
166 misleading results. If the logs are enriched, it uses the sup‐
167 plemental data to do the conversion. This allows accurate log
168 reporting even when run on a different machine than the original
169 logs came from.
170
171 -if, --input file-name | directory
172 Use the given file or directory instead of the logs. This is to
173 aid analysis where the logs have been moved to another machine
174 or only part of a log was saved.
175
176 --input-logs
177 Use the log file location from auditd.conf as input for search‐
178 ing. This is needed if you are using ausearch from a cron job.
179
180 --just-one
181 Stop after emitting the first event that matches the search cri‐
182 teria.
183
184 -k, --key key-string
185 Search for an event based on the given key string.
186
187 -l, --line-buffered
188 Flush output on every line. Most useful when stdout is connected
189 to a pipe and the default block buffering strategy is undesir‐
190 able. May impose a performance penalty.
191
192 -m, --message message-type | comma-sep-message-type-list
193 Search for an event matching the given message type. (Message
194 types are also known as record types.) You may also enter a
195 comma separated list of message types or multiple individual
196 message types each with its own -m option. There is an ALL mes‐
197 sage type that doesn't exist in the actual logs. It allows you
198 to get all messages in the system. The list of valid messages
199 types is long. The program will display the list whenever no
200 message type is passed with this parameter. The message type can
201 be either text or numeric. If you enter a list, there can be
202 only commas and no spaces separating the list.
203
204 -n, --nodeSearchforeventsoriginatingfromaspecificmachine.Multiplenode‐
205 sareallowed,andifanynodesmatch,theeventismatched.Thissearchusesthenode‐
206 fieldinauditevents.Alsoseethe--hostcommandwhichsearchforeventsrelated‐
207 tohostinformationintheaudittrail.
208
209 -o, --object SE-Linux-context-string
210 Search for event with tcontext (object) matching the string.
211
212 -p, --pid process-id
213 Search for an event matching the given process ID.
214
215 -pp, --ppid parent-process-id
216 Search for an event matching the given parent process ID.
217
218 -r, --raw
219 Output is completely unformatted. This is useful for extracting
220 records to a file that can still be interpreted by audit tools
221 or when piping to other audit tools.
222
223 -sc, --syscall syscall-name-or-value
224 Search for an event matching the given syscall. You may either
225 give the numeric syscall value or the syscall name. If you give
226 the syscall name, it will use the syscall table for the machine
227 that you are using.
228
229 -se, --context SE-Linux-context-string
230 Search for event with either scontext/subject or tcontext/object
231 matching the string.
232
233 --session Login-Session-ID
234 Search for events matching the given Login Session ID. This
235 process attribute is set when a user logs in and can tie any
236 process to a particular user login.
237
238 -su, --subject SE-Linux-context-string
239 Search for event with scontext (subject) matching the string.
240
241 -sv, --success success-value
242 Search for an event matching the given success value. Legal val‐
243 ues are yes and no.
244
245 -te, --end [end-date] [end-time]
246 Search for events with time stamps equal to or before the given
247 end time. The format of end time depends on your locale. You can
248 check the format of your locale by running date '+%x'. If the
249 date is omitted, today is assumed. If the time is omitted, now
250 is assumed. Use 24 hour clock time rather than AM or PM to spec‐
251 ify time. An example date using the en_US.utf8 locale is
252 09/03/2009. An example of time is 18:00:00. The date format
253 accepted is influenced by the LC_TIME environmental variable.
254
255 You may also use the word: now, recent, boot, today, yesterday,
256 this-week, week-ago, this-month, or this-year. Now means start‐
257 ing now. Recent is 10 minutes ago. Boot means the time of day to
258 the second when the system last booted. Today means now. Yester‐
259 day is 1 second after midnight the previous day. This-week means
260 starting 1 second after midnight on day 0 of the week determined
261 by your locale (see localtime). Week-ago means 1 second after
262 midnight exactly 7 days ago. This-month means 1 second after
263 midnight on day 1 of the month. This-year means the 1 second
264 after midnight on the first day of the first month.
265
266 -ts, --start [start-date] [start-time]
267 Search for events with time stamps equal to or after the given
268 start time. The format of start time depends on your locale. You
269 can check the format of your locale by running date '+%x'. If
270 the date is omitted, today is assumed. If the time is omitted,
271 midnight is assumed. Use 24 hour clock time rather than AM or PM
272 to specify time. An example date using the en_US.utf8 locale is
273 09/03/2009. An example of time is 18:00:00. The date format
274 accepted is influenced by the LC_TIME environmental variable.
275
276 You may also use the word: now, recent, boot, today, yesterday,
277 this-week, week-ago, this-month, this-year, or checkpoint. Boot
278 means the time of day to the second when the system last booted.
279 Today means starting at 1 second after midnight. Recent is 10
280 minutes ago. Yesterday is 1 second after midnight the previous
281 day. This-week means starting 1 second after midnight on day 0
282 of the week determined by your locale (see localtime). Week-ago
283 means starting 1 second after midnight exactly 7 days ago.
284 This-month means 1 second after midnight on day 1 of the month.
285 This-year means the 1 second after midnight on the first day of
286 the first month.
287
288 checkpoint means ausearch will use the timestamp found within a
289 valid checkpoint file ignoring the recorded inode, device,
290 serial, node and event type also found within a checkpoint file.
291 Essentially, this is the recovery action should an invocation of
292 ausearch with a checkpoint option fail with an exit status of
293 10, 11 or 12. It could be used in a shell script something like:
294
295 ausearch --checkpoint /etc/audit/auditd_checkpoint.txt -i
296 _au_status=$?
297 if test ${_au_status} eq 10 -o ${_au_status} eq 11 -o ${_au_status} eq 12
298 then
299 ausearch --checkpoint /etc/audit/auditd_checkpoint.txt --start checkpoint -i
300 fi
301
302 -tm, --terminal terminal
303 Search for an event matching the given terminal value. Some dae‐
304 mons such as cron and atd use the daemon name for the terminal.
305
306 -ua, --uid-all all-user-id
307 Search for an event with either user ID, effective user ID, or
308 login user ID (auid) matching the given user ID.
309
310 -ue, --uid-effective effective-user-id
311 Search for an event with the given effective user ID.
312
313 -ui, --uid user-id
314 Search for an event with the given user ID.
315
316 -ul, --loginuid login-id
317 Search for an event with the given login user ID. All entry
318 point programs that are pamified need to be configured with
319 pam_loginuid required for the session for searching on loginuid
320 (auid) to be accurate.
321
322 -uu, --uuid guest-uuid
323 Search for an event with the given guest UUID.
324
325 -v, --version
326 Print the version and exit
327
328 -vm, --vm-name guest-name
329 Search for an event with the given guest name.
330
331 -w, --word
332 String based matches must match the whole word. This category of
333 matches include: filename, hostname, terminal, keys, and SE
334 Linux context.
335
336 -x, --executable executable
337 Search for an event matching the given executable name.
338
339
341 0 if OK,
342
343 1 if nothing found, or argument errors or minor file acces/read
344 errors,
345
346 10 invalid checkpoint data found in checkpoint file,
347
348 11 checkpoint processing error
349
350 12 checkpoint event not found in matching log file
351
353 The boot time option is a convenience function and has limitations. The
354 time it calculates is based on time now minus /proc/uptime. If after
355 boot the system clock has been adjusted, perhaps by ntp, then the cal‐
356 culation may be wrong. In that case you'll need to fully specify the
357 time. You can check the time it would use by running:
358
359 date -d "`cut -f1 -d. /proc/uptime` seconds ago"
360
361
363 auditd(8), pam_loginuid(8).
364
365
366
367Red Hat March 2017 AUSEARCH:(8)