1AUREPORT:(8) System Administration Utilities AUREPORT:(8)
2
6 aureport - a tool that produces summary reports of audit daemon logs
7
9 aureport [options]
10
12 aureport is a tool that produces summary reports of the audit system
13 logs. The aureport utility can also take input from stdin as long as
14 the input is the raw log data. The reports have a column label at the
15 top to help with interpretation of the various fields. Except for the
16 main summary report, all reports have the audit event number. You can
17 subsequently lookup the full event with ausearch -a event number. You
18 may need to specify start & stop times if you get multiple hits. The
19 reports produced by aureport can be used as building blocks for more
20 complicated analysis.
21
24 -au, --auth
25 Report about authentication attempts
26 -a, --avc
28 Report about avc messages
29 -c, --config
31 Report about config changes
32 -cr, --crypto
34 Report about crypto events
35 -e, --event
37 Report about events
38 -f, --file
40 Report about files
41 --failed
43 Only select failed events for processing in the reports. The
44 default is both success and failed events.
45 -h, --host
47 Report about hosts
48 --help Print brief command summary
50 -i, --interpret
52 Interpret numeric entities into text. For example, uid is con‐
53 verted to account name. The conversion is done using the current
54 resources of the machine where the search is being run. If you
55 have renamed the accounts, or don't have the same accounts on
56 your machine, you could get misleading results.
57 -if, --input file
59 Use the given file instead if the logs. This is to aid analysis
60 where the logs have been moved to another machine or only part
61 of a log was saved.
62 --input-logs
64 Use the log file location from auditd.conf as input for analy‐
65 sis. This is needed if you are using aureport from a cron job.
66 -k, --key
68 Report about audit rule keys
69 -l, --login
71 Report about logins
72 -m, --mods
74 Report about account modifications
75 -ma, --mac
77 Report about Mandatory Access Control (MAC) events
78 -n, --anomaly
80 Report about anomaly events. These events include NIC going into
81 promiscuous mode and programs segfaulting.
82 --node node-name
84 Only select events originating from node name string for pro‐
85 cessing in the reports. The default is to include all nodes.
86 Multiple nodes are allowed.
87 -p, --pid
89 Report about processes
90 -r, --response
92 Report about responses to anomaly events
93 -s, --syscall
95 Report about syscalls
96 --success
98 Only select successful events for processing in the reports. The
99 default is both success and failed events.
100 --summary
102 Run the summary report that gives a total of the elements of the
103 main report. Not all reports have a summary.
104 -t, --log
106 This option will output a report of the start and end times for
107 each log.
108 --tty Report about tty keystrokes
110 -te, --end [end-date] [end-time]
112 Search for events with time stamps equal to or before the given
113 end time. The format of end time depends on your locale. If the
114 date is omitted, today is assumed. If the time is omitted, now
115 is assumed. Use 24 hour clock time rather than AM or PM to spec‐
116 ify time. An example date using the en_US.utf8 locale is
117 09/03/2009. An example of time is 18:00:00. The date format
118 accepted is influenced by the LC_TIME environmental variable.
119 You may also use the word: now, recent, today, yesterday,
121 this-week, week-ago, this-month, this-year. Today means starting
122 now. Recent is 10 minutes ago. Yesterday is 1 second after mid‐
123 night the previous day. This-week means starting 1 second after
124 midnight on day 0 of the week determined by your locale (see
125 localtime). This-month means 1 second after midnight on day 1 of
126 the month. This-year means the 1 second after midnight on the
127 first day of the first month.
128 -tm, --terminal
130 Report about terminals
131 -ts, --start [start-date] [start-time]
133 Search for events with time stamps equal to or after the given
134 end time. The format of end time depends on your locale. If the
135 date is omitted, today is assumed. If the time is omitted, mid‐
136 night is assumed. Use 24 hour clock time rather than AM or PM to
137 specify time. An example date using the en_US.utf8 locale is
138 09/03/2009. An example of time is 18:00:00. The date format
139 accepted is influenced by the LC_TIME environmental variable.
140 You may also use the word: now, recent, today, yesterday,
142 this-week, this-month, this-year. Today means starting at 1 sec‐
143 ond after midnight. Recent is 10 minutes ago. Yesterday is 1
144 second after midnight the previous day. This-week means starting
145 1 second after midnight on day 0 of the week determined by your
146 locale (see localtime). This-month means 1 second after midnight
147 on day 1 of the month. This-year means the 1 second after mid‐
148 night on the first day of the first month.
149 -u, --user
151 Report about users
152 -v, --version
154 Print the version and exit
155 -x, --executable
157 Report about executables
158
161 ausearch(8), auditd(8).
162Red Hat Sept 2009 AUREPORT:(8)