1AUSEARCH:(8)            System Administration Utilities           AUSEARCH:(8)
2
3
4

NAME

6       ausearch - a tool to query audit daemon logs
7

SYNOPSIS

9       ausearch [options]
10

DESCRIPTION

12       ausearch  is  a  tool  that  can  query the audit daemon logs based for
13       events based on different search criteria.  The  ausearch  utility  can
14       also  take  input  from stdin as long as the input is the raw log data.
15       Each commandline option given forms an "and"  statement.  For  example,
16       searching  with  -m  and  -ui  means  return  events that have both the
17       requested type and match the user id given. An exception is the -m  and
18       -n  options;  multiple  record  types and nodes are allowed in a search
19       which will return any matching node and record.
20
21       It should also be noted that each syscall  excursion  from  user  space
22       into  the  kernel  and  back  into  user space has one event ID that is
23       unique. Any auditable event that is triggered during  this  trip  share
24       this ID so that they may be correlated.
25
26       Different  parts  of the kernel may add supplemental records. For exam‐
27       ple, an audit event on the syscall "open" will also cause the kernel to
28       emit  a  PATH  record  with  the  file  name. The ausearch utility will
29       present all records that make up one event together.  This  could  mean
30       that  even though you search for a specific kind of record, the result‐
31       ing events may contain SYSCALL records.
32
33       Also be aware that not all record types have the requested information.
34       For example, a PATH record does not have a hostname or a loginuid.
35
36

OPTIONS

38       -a, --event audit-event-id
39              Search for an event based on the given event ID. Messages always
40              start with something like msg=audit(1116360555.329:2401771). The
41              event  ID is the number after the ':'. All audit events that are
42              recorded from one application's  syscall  have  the  same  audit
43              event  ID.  A  second  syscall made by the same application will
44              have a different event ID. This way they are unique.
45
46       --arch CPU
47              Search for events based on a specific CPU architecture.  If  you
48              do  not know the arch of your machine but you want to use the 32
49              bit syscall table and your machine supports  32  bits,  you  can
50              also  use  b32  for  the  arch.  The  same applies to the 64 bit
51              syscall table, you can use b64.  The arch of your machine can be
52              found by doing 'uname -m'.
53
54       -c, --comm comm-name
55              Search  for an event based on the given comm name. The comm name
56              is the executable's name from the task structure.
57
58       --debug
59              Write malformed events that are skipped to stderr.
60
61       --checkpoint checkpoint-file
62              Checkpoint the output between successive invocations of ausearch
63              such that only events not previously output will print in subse‐
64              quent invocations.
65
66              An auditd event is made up of one or more records. When process‐
67              ing  events,  ausearch  defines events as either complete or in-
68              complete.  A complete event is either a single record  event  or
69              one  whose event time occurred 2 seconds in the past compared to
70              the event being currently processed.
71
72              A checkpoint is achieved by recording the last  completed  event
73              output  along  with  the device number and inode of the file the
74              last completed event appeared in checkpoint-file.  On  a  subse‐
75              quent invocation, ausearch will load this checkpoint data and as
76              it processes the log files, it will discard all complete  events
77              until  it  matches  the checkpointed one. At this point, it will
78              start outputting complete events.
79
80              Should the file or the last checkpointed event not be found, one
81              of  a  number of errors will result and ausearch will terminate.
82              See EXIT STATUS for detail.
83
84
85       -e, --exit exit-code-or-errno
86              Search for an event based on the  given  syscall  exit  code  or
87              errno.
88
89       --escape option
90              This option determines if the output is escaped to make the con‐
91              tent safer for certain uses. The options are raw , tty , shell ,
92              and  shell_quote.  Each mode includes the characters of the pre‐
93              ceding mode and escapes more characters. That is  to  say  shell
94              includes all characters escaped by tty and adds more. tty is the
95              default.
96
97       --extra-keys
98              When the format mode is csv, this option will add a final column
99              with  key  information  if  its exists for the event. This would
100              only occur on SYSCALL records which were the result of  trigger‐
101              ing an audit rule that defines a key.
102
103       --extra-labels
104              When  the  format  mode  is csv, this option will add columns of
105              information about subject and object labels when they exist.
106
107       --extra-obj2
108              When the format mode is csv, this option  will  add  columns  of
109              information about a second object when it exists. It's rare that
110              a second object is part of a record. Some examples  are  when  a
111              file  is  renamed  from  one name to another or when a device is
112              mounted to a path.
113
114       --extra-time
115              When the format mode is csv, this option  will  add  columns  of
116              information about broken down time to make subsetting easier.
117
118       -f, --file file-name
119              Search  for  an  event based on the given filename. The argument
120              will match normal files as well as af_unix sockets.
121
122       --format option
123              Events that match the search criteria are formatted  using  this
124              option. The supported formats are: raw, default, interpret, csv,
125              and text. The raw option is described under  the  --raw  command
126              line  option. The default option is what you get when no format‐
127              ting options are passed. It includes one line as a visual  sepa‐
128              rator which indicates the time stamp and then the records of the
129              event follow. The interpret option is  explained  under  the  -i
130              command  line  option. The csv option outputs the results of the
131              search as a normalized event in comma separated value (CSV) for‐
132              mat  suitable  for  import  into  analytical  programs. The text
133              option turns the event into an English sentence that  is  easier
134              to understand than other options, but it comes at the expense of
135              loss of detail. In most cases this is perfectly fine  since  the
136              original event still retains all the original information.
137
138       -ga, --gid-all all-group-id
139              Search  for  an event with either effective group ID or group ID
140              matching the given group ID.
141
142       -ge, --gid-effective effective-group-id
143              Search for an event with the given effective group ID  or  group
144              name.
145
146       -gi, --gid group-id
147              Search for an event with the given group ID or group name.
148
149       -h, --help
150              Help
151
152       -hn, --host host-name
153              Search  for  an event with the given host name. The hostname can
154              be either a hostname, fully qualified domain  name,  or  numeric
155              network address. No attempt is made to resolve numeric addresses
156              to domain names or aliases. This search typically correlates  to
157              the addr or host field of audit events. Also see the --node com‐
158              mand which searches the node field.
159
160       -i, --interpret
161              Interpret numeric entities into text. For example, uid  is  con‐
162              verted  to  account  name. If the audit logs are unenriched, the
163              conversion is done using the current resources  of  the  machine
164              where the search is being run. If you have renamed the accounts,
165              or don't have the same accounts on your machine, you  could  get
166              misleading  results.  If the logs are enriched, it uses the sup‐
167              plemental data to do the conversion. This  allows  accurate  log
168              reporting even when run on a different machine than the original
169              logs came from.
170
171       -if, --input file-name | directory
172              Use the given file or directory instead of the logs. This is  to
173              aid  analysis  where the logs have been moved to another machine
174              or only part of a log was saved.
175
176       --input-logs
177              Use the log file location from auditd.conf as input for  search‐
178              ing. This is needed if you are using ausearch from a cron job.
179
180       --just-one
181              Stop after emitting the first event that matches the search cri‐
182              teria.
183
184       -k, --key key-string
185              Search for an event based on the given key string.
186
187       -l, --line-buffered
188              Flush output on every line. Most useful when stdout is connected
189              to  a  pipe and the default block buffering strategy is undesir‐
190              able. May impose a performance penalty.
191
192       -m, --message message-type | comma-sep-message-type-list
193              Search for an event matching the given  message  type.  (Message
194              types  are  also  known  as  record types.) You may also enter a
195              comma separated list of message  types  or  multiple  individual
196              message  types each with its own -m option. There is an ALL mes‐
197              sage type that doesn't exist in the actual logs. It  allows  you
198              to  get  all  messages in the system. The list of valid messages
199              types is long. The program will display  the  list  whenever  no
200              message type is passed with this parameter. The message type can
201              be either text or numeric. If you enter a  list,  there  can  be
202              only commas and no spaces separating the list.
203
204       -n, --nodeSearchforeventsoriginatingfromaspecificmachine.Multiplenode‐
205       sareallowed,andifanynodesmatch,theeventismatched.Thissearchusesthenode‐
206       fieldinauditevents.Alsoseethe--hostcommandwhichsearchforeventsrelated‐
207       tohostinformationintheaudittrail.
208
209       -o, --object SE-Linux-context-string
210              Search for event with tcontext (object) matching the string.
211
212       -p, --pid process-id
213              Search for an event matching the given process ID.
214
215       -pp, --ppid parent-process-id
216              Search for an event matching the given parent process ID.
217
218       -r, --raw
219              Output is completely unformatted. This is useful for  extracting
220              records  to  a file that can still be interpreted by audit tools
221              or when piping to other audit tools.
222
223       -sc, --syscall syscall-name-or-value
224              Search for an event matching the given syscall. You  may  either
225              give  the numeric syscall value or the syscall name. If you give
226              the syscall name, it will use the syscall table for the  machine
227              that you are using.
228
229       -se, --context SE-Linux-context-string
230              Search for event with either scontext/subject or tcontext/object
231              matching the string.
232
233       --session Login-Session-ID
234              Search for events matching the  given  Login  Session  ID.  This
235              process  attribute  is  set  when a user logs in and can tie any
236              process to a particular user login.
237
238       -su, --subject SE-Linux-context-string
239              Search for event with scontext (subject) matching the string.
240
241       -sv, --success success-value
242              Search for an event matching the given success value. Legal val‐
243              ues are yes and no.
244
245       -te, --end [end-date] [end-time]
246              Search  for events with time stamps equal to or before the given
247              end time. The format of end time depends on your locale. You can
248              check  the  format of your locale by running date '+%x'.  If the
249              date is omitted, today is assumed. If the time is  omitted,  now
250              is assumed. Use 24 hour clock time rather than AM or PM to spec‐
251              ify time.  An  example  date  using  the  en_US.utf8  locale  is
252              09/03/2009.  An  example  of  time  is 18:00:00. The date format
253              accepted is influenced by the LC_TIME environmental variable.
254
255              You may also use the word: now, recent, boot, today,  yesterday,
256              this-week,  week-ago, this-month, or this-year. Now means start‐
257              ing now. Recent is 10 minutes ago. Boot means the time of day to
258              the second when the system last booted. Today means now. Yester‐
259              day is 1 second after midnight the previous day. This-week means
260              starting 1 second after midnight on day 0 of the week determined
261              by your locale (see localtime). Week-ago means  1  second  after
262              midnight  exactly  7  days  ago. This-month means 1 second after
263              midnight on day 1 of the month. This-year  means  the  1  second
264              after midnight on the first day of the first month.
265
266       -ts, --start [start-date] [start-time]
267              Search  for  events with time stamps equal to or after the given
268              start time. The format of start time depends on your locale. You
269              can  check  the format of your locale by running date '+%x'.  If
270              the date is omitted, today is assumed. If the time  is  omitted,
271              midnight is assumed. Use 24 hour clock time rather than AM or PM
272              to specify time. An example date using the en_US.utf8 locale  is
273              09/03/2009.  An  example  of  time  is 18:00:00. The date format
274              accepted is influenced by the LC_TIME environmental variable.
275
276              You may also use the word: now, recent, boot, today,  yesterday,
277              this-week,  week-ago, this-month, this-year, or checkpoint. Boot
278              means the time of day to the second when the system last booted.
279              Today  means  starting  at 1 second after midnight. Recent is 10
280              minutes ago. Yesterday is 1 second after midnight  the  previous
281              day.  This-week  means starting 1 second after midnight on day 0
282              of the week determined by your locale (see localtime).  Week-ago
283              means  starting  1  second  after  midnight  exactly 7 days ago.
284              This-month means 1 second after midnight on day 1 of the  month.
285              This-year  means the 1 second after midnight on the first day of
286              the first month.
287
288              checkpoint means ausearch will use the timestamp found within  a
289              valid  checkpoint  file  ignoring  the  recorded  inode, device,
290              serial, node and event type also found within a checkpoint file.
291              Essentially, this is the recovery action should an invocation of
292              ausearch with a checkpoint option fail with an  exit  status  of
293              10, 11 or 12. It could be used in a shell script something like:
294
295                   ausearch --checkpoint /etc/audit/auditd_checkpoint.txt -i
296                   _au_status=$?
297                   if test ${_au_status} eq 10 -o ${_au_status} eq 11 -o ${_au_status} eq 12
298                   then
299                     ausearch --checkpoint /etc/audit/auditd_checkpoint.txt --start checkpoint -i
300                   fi
301
302       -tm, --terminal terminal
303              Search for an event matching the given terminal value. Some dae‐
304              mons such as cron and atd use the daemon name for the terminal.
305
306       -ua, --uid-all all-user-id
307              Search for an event with either user ID, effective user  ID,  or
308              login user ID (auid) matching the given user ID.
309
310       -ue, --uid-effective effective-user-id
311              Search for an event with the given effective user ID.
312
313       -ui, --uid user-id
314              Search for an event with the given user ID.
315
316       -ul, --loginuid login-id
317              Search  for  an  event  with  the given login user ID. All entry
318              point programs that are pamified  need  to  be  configured  with
319              pam_loginuid  required for the session for searching on loginuid
320              (auid) to be accurate.
321
322       -uu, --uuid guest-uuid
323              Search for an event with the given guest UUID.
324
325       -v, --version
326              Print the version and exit
327
328       -vm, --vm-name guest-name
329              Search for an event with the given guest name.
330
331       -w, --word
332              String based matches must match the whole word. This category of
333              matches  include:  filename,  hostname,  terminal,  keys, and SE
334              Linux context.
335
336       -x, --executable executable
337              Search for an event matching the given executable name.
338
339

EXIT STATUS

341       0    if OK,
342
343       1    if nothing found, or argument  errors  or  minor  file  acces/read
344            errors,
345
346       10   invalid checkpoint data found in checkpoint file,
347
348       11   checkpoint processing error
349
350       12   checkpoint event not found in matching log file
351

NOTE

353       The boot time option is a convenience function and has limitations. The
354       time it calculates is based on time now minus  /proc/uptime.  If  after
355       boot  the system clock has been adjusted, perhaps by ntp, then the cal‐
356       culation may be wrong. In that case you'll need to  fully  specify  the
357       time. You can check the time it would use by running:
358
359       date -d "`cut -f1 -d. /proc/uptime` seconds ago"
360
361

SEE ALSO

363       auditd(8), pam_loginuid(8).
364
365
366
367Red Hat                           March 2017                      AUSEARCH:(8)
Impressum