1AUSEARCH(8) System Administration Utilities AUSEARCH(8)
2
6 ausearch - a tool to query audit daemon logs
7
9 ausearch [options]
10
12 ausearch is a tool that can query the audit daemon logs based for
13 events based on different search criteria. The ausearch utility can
14 also take input from stdin as long as the input is the raw log data.
15 Each commandline option given forms an "and" statement. For example,
16 searching with -m and -ui means return events that have both the re‐
17 quested type and match the user id given. An exception is the -m and
18 -n options; multiple record types and nodes are allowed in a search
19 which will return any matching node and record.
20 It should also be noted that each syscall excursion from user space
22 into the kernel and back into user space has one event ID that is
23 unique. Any auditable event that is triggered during this trip share
24 this ID so that they may be correlated.
25 Different parts of the kernel may add supplemental records. For exam‐
27 ple, an audit event on the syscall "open" will also cause the kernel to
28 emit a PATH record with the file name. The ausearch utility will
29 present all records that make up one event together. This could mean
30 that even though you search for a specific kind of record, the result‐
31 ing events may contain SYSCALL records.
32 Also be aware that not all record types have the requested information.
34 For example, a PATH record does not have a hostname or a loginuid.
35
38 -a, --event audit-event-id
39 Search for an event based on the given event ID. Messages always
40 start with something like msg=audit(1116360555.329:2401771). The
41 event ID is the number after the ':'. All audit events that are
42 recorded from one application's syscall have the same audit
43 event ID. A second syscall made by the same application will
44 have a different event ID. This way they are unique.
45 --arch CPU
47 Search for events based on a specific CPU architecture. If you
48 do not know the arch of your machine but you want to use the 32
49 bit syscall table and your machine supports 32 bits, you can
50 also use b32 for the arch. The same applies to the 64 bit
51 syscall table, you can use b64. The arch of your machine can be
52 found by doing 'uname -m'.
53 -c, --comm comm-name
55 Search for an event based on the given comm name. The comm name
56 is the executable's name from the task structure.
57 --debug
59 Write malformed events that are skipped to stderr.
60 --checkpoint checkpoint-file
62 Checkpoint the output between successive invocations of ausearch
63 such that only events not previously output will print in subse‐
64 quent invocations.
65 An auditd event is made up of one or more records. When process‐
67 ing events, ausearch defines events as either complete or in-
68 complete. A complete event is either a single record event or
69 one whose event time occurred 2 seconds in the past compared to
70 the event being currently processed.
71 A checkpoint is achieved by recording the last completed event
73 output along with the device number and inode of the file the
74 last completed event appeared in checkpoint-file. On a subse‐
75 quent invocation, ausearch will load this checkpoint data and as
76 it processes the log files, it will discard all complete events
77 until it matches the checkpointed one. At this point, it will
78 start outputting complete events.
79 Should the file or the last checkpointed event not be found, one
81 of a number of errors will result and ausearch will terminate.
82 See EXIT STATUS for detail.
83 --eoe-timeout seconds
86 Set the end of event parsing timeout. See end_of_event_timeout
87 in auditd.conf(5) for details. Note that setting this value will
88 override any configured value found in /etc/auditd/auditd.conf.
89 -e, --exit exit-code-or-errno
91 Search for an event based on the given syscall exit code or er‐
92 rno.
93 --escape option
95 This option determines if the output is escaped to make the con‐
96 tent safer for certain uses. The options are raw , tty , shell ,
97 and shell_quote. Each mode includes the characters of the pre‐
98 ceding mode and escapes more characters. That is to say shell
99 includes all characters escaped by tty and adds more. tty is the
100 default.
101 --extra-keys
103 When the format mode is csv, this option will add a final column
104 with key information if its exists for the event. This would
105 only occur on SYSCALL records which were the result of trigger‐
106 ing an audit rule that defines a key.
107 --extra-labels
109 When the format mode is csv, this option will add columns of in‐
110 formation about subject and object labels when they exist.
111 --extra-obj2
113 When the format mode is csv, this option will add columns of in‐
114 formation about a second object when it exists. It's rare that a
115 second object is part of a record. Some examples are when a file
116 is renamed from one name to another or when a device is mounted
117 to a path.
118 --extra-time
120 When the format mode is csv, this option will add columns of in‐
121 formation about broken down time to make subsetting easier.
122 -f, --file file-name
124 Search for an event based on the given filename. The argument
125 will match normal files as well as af_unix sockets.
126 --format option
128 Events that match the search criteria are formatted using this
129 option. The supported formats are: raw, default, interpret, csv,
130 and text. The raw option is described under the --raw command
131 line option. The default option is what you get when no format‐
132 ting options are passed. It includes one line as a visual sepa‐
133 rator which indicates the time stamp and then the records of the
134 event follow. The interpret option is explained under the -i
135 command line option. The csv option outputs the results of the
136 search as a normalized event in comma separated value (CSV) for‐
137 mat suitable for import into analytical programs. The text op‐
138 tion turns the event into an English sentence that is easier to
139 understand than other options, but it comes at the expense of
140 loss of detail. In most cases this is perfectly fine since the
141 original event still retains all the original information.
142 -ga, --gid-all all-group-id
144 Search for an event with either effective group ID or group ID
145 matching the given group ID.
146 -ge, --gid-effective effective-group-id
148 Search for an event with the given effective group ID or group
149 name.
150 -gi, --gid group-id
152 Search for an event with the given group ID or group name.
153 -h, --help
155 Help
156 -hn, --host host-name
158 Search for an event with the given host name. The hostname can
159 be either a hostname, fully qualified domain name, or numeric
160 network address. No attempt is made to resolve numeric addresses
161 to domain names or aliases. This search typically correlates to
162 the addr or host field of audit events. Also see the --node com‐
163 mand which searches the node field.
164 -i, --interpret
166 Interpret numeric entities into text. For example, uid is con‐
167 verted to account name. If the audit logs are unenriched, the
168 conversion is done using the current resources of the machine
169 where the search is being run. If you have renamed the accounts,
170 or don't have the same accounts on your machine, you could get
171 misleading results. If the logs are enriched, it uses the sup‐
172 plemental data to do the conversion. This allows accurate log
173 reporting even when run on a different machine than the original
174 logs came from.
175 -if, --input file-name | directory
177 Use the given file or directory instead of the logs. This is to
178 aid analysis where the logs have been moved to another machine
179 or only part of a log was saved. The path length is limited to
180 4064 bytes.
181 --input-logs
183 Use the log file location from auditd.conf as input for search‐
184 ing. This is needed if you are using ausearch from a cron job.
185 --just-one
187 Stop after emitting the first event that matches the search cri‐
188 teria.
189 -k, --key key-string
191 Search for an event based on the given key string.
192 -l, --line-buffered
194 Flush output on every line. Most useful when stdout is connected
195 to a pipe and the default block buffering strategy is undesir‐
196 able. May impose a performance penalty.
197 -m, --message message-type | comma-sep-message-type-list
199 Search for an event matching the given message type. (Message
200 types are also known as record types.) You may also enter a
201 comma separated list of message types or multiple individual
202 message types each with its own -m option. There is an ALL mes‐
203 sage type that doesn't exist in the actual logs. It allows you
204 to get all messages in the system. The list of valid messages
205 types is long. The program will display the list whenever no
206 message type is passed with this parameter. The message type can
207 be either text or numeric. If you enter a list, there can be
208 only commas and no spaces separating the list.
209 -n, --node
211 Search for events originating from a specific machine. Multiple
212 nodes are allowed, and if any nodes match, the event is matched.
213 This search uses the node field in audit events. Also see the
214 --host command which search for events related to host informa‐
215 tion in the audit trail.
216 -o, --object SE-Linux-context-string
218 Search for event with tcontext (object) matching the string.
219 -p, --pid process-id
221 Search for an event matching the given process ID.
222 -pp, --ppid parent-process-id
224 Search for an event matching the given parent process ID.
225 -r, --raw
227 Output is completely unformatted. This is useful for extracting
228 records to a file that can still be interpreted by audit tools
229 or when piping to other audit tools.
230 -sc, --syscall syscall-name-or-value
232 Search for an event matching the given syscall. You may either
233 give the numeric syscall value or the syscall name. If you give
234 the syscall name, it will use the syscall table for the machine
235 that you are using.
236 -se, --context SE-Linux-context-string
238 Search for events with either scontext/subject or tcontext/ob‐
239 ject matching the given string.
240 --session Login-Session-ID
242 Search for events matching the given Login Session ID. This
243 process attribute is set when a user logs in and can tie any
244 process to a particular user login.
245 -su, --subject SE-Linux-context-string
247 Search for event with scontext (subject) matching the string.
248 -sv, --success success-value
250 Search for an event matching the given success value. Legal val‐
251 ues are yes and no.
252 -te, --end [end-date] [end-time]
254 Search for events with time stamps equal to or before the given
255 end time. The format of end time depends on your locale. You can
256 check the format of your locale by running date '+%x'. If the
257 date is omitted, today is assumed. If the time is omitted, now
258 is assumed. Use 24 hour clock time rather than AM or PM to spec‐
259 ify time. An example date using the en_US.utf8 locale is
260 09/03/2009. An example of time is 18:00:00. The date format ac‐
261 cepted is influenced by the LC_TIME environmental variable.
262 You may also use the word: now, recent, this-hour, boot, today,
264 yesterday, this-week, week-ago, this-month, or this-year. Now
265 means starting now. Recent is 10 minutes ago. Boot means the
266 time of day to the second when the system last booted. Today
267 means now. Yesterday is 1 second after midnight the previous
268 day. This-week means starting 1 second after midnight on day 0
269 of the week determined by your locale (see localtime). Week-ago
270 means 1 second after midnight exactly 7 days ago. This-month
271 means 1 second after midnight on day 1 of the month. This-year
272 means the 1 second after midnight on the first day of the first
273 month.
274 -ts, --start [start-date] [start-time]
276 Search for events with time stamps equal to or after the given
277 start time. The format of start time depends on your locale. You
278 can check the format of your locale by running date '+%x'. If
279 the date is omitted, today is assumed. If the time is omitted,
280 midnight is assumed. Use 24 hour clock time rather than AM or PM
281 to specify time. An example date using the en_US.utf8 locale is
282 09/03/2009. An example of time is 18:00:00. The date format ac‐
283 cepted is influenced by the LC_TIME environmental variable.
284 You may also use the word: now, recent, this-hour, boot, today,
286 yesterday, this-week, week-ago, this-month, this-year, or check‐
287 point. Boot means the time of day to the second when the system
288 last booted. Today means starting at 1 second after midnight.
289 Recent is 10 minutes ago. Yesterday is 1 second after midnight
290 the previous day. This-week means starting 1 second after mid‐
291 night on day 0 of the week determined by your locale (see local‐
292 time). Week-ago means starting 1 second after midnight exactly 7
293 days ago. This-month means 1 second after midnight on day 1 of
294 the month. This-year means the 1 second after midnight on the
295 first day of the first month.
296 checkpoint means ausearch will use the timestamp found within a
298 valid checkpoint file ignoring the recorded inode, device, se‐
299 rial, node and event type also found within a checkpoint file.
300 Essentially, this is the recovery action should an invocation of
301 ausearch with a checkpoint option fail with an exit status of
302 10, 11 or 12. It could be used in a shell script something like:
303 ausearch --checkpoint /etc/audit/auditd_checkpoint.txt -i
305 _au_status=$?
306 if test ${_au_status} eq 10 -o ${_au_status} eq 11 -o ${_au_status} eq 12
307 then
308 ausearch --checkpoint /etc/audit/auditd_checkpoint.txt --start checkpoint -i
309 fi
310 -tm, --terminal terminal
312 Search for an event matching the given terminal value. Some dae‐
313 mons such as cron and atd use the daemon name for the terminal.
314 -ua, --uid-all all-user-id
316 Search for an event with either user ID, effective user ID, or
317 login user ID (auid) matching the given user ID.
318 -ue, --uid-effective effective-user-id
320 Search for an event with the given effective user ID.
321 -ui, --uid user-id
323 Search for an event with the given user ID.
324 -ul, --loginuid login-id
326 Search for an event with the given login user ID. All entry
327 point programs that are PAMified need to be configured with
328 pam_loginuid required for the session for searching on loginuid
329 (auid) to be accurate.
330 -uu, --uuid guest-uuid
332 Search for an event with the given guest UUID.
333 -v, --version
335 Print the version and exit
336 -vm, --vm-name guest-name
338 Search for an event with the given guest name.
339 -w, --word
341 String based matches must match the whole word. This category of
342 matches include: filename, hostname, terminal, keys, and SE
343 Linux context.
344 -x, --executable executable
346 Search for an event matching the given executable name.
347
350 0 if OK,
351 1 if nothing found, or argument errors or minor file access/read er‐
353 rors,
354 10 invalid checkpoint data found in checkpoint file,
356 11 checkpoint processing error
358 12 checkpoint event not found in matching log file
360
362 The boot time option is a convenience function and has limitations. The
363 time it calculates is based on time now minus /proc/uptime. If after
364 boot the system clock has been adjusted, perhaps by ntp, then the cal‐
365 culation may be wrong. In that case you'll need to fully specify the
366 time. You can check the time it would use by running:
367 date -d "`cut -f1 -d. /proc/uptime` seconds ago"
369
372 Search for a specific user:
373 # ausearch --start today --loginuid john -i
374 Check the SELinux log for any denials today
376 # ausearch --start today -m avc -i
377 Output logs in text format
379 # ausearch --start today --format text
380 Output TTY events interpreted and shell escaped
382 # ausearch --start today -m TTY -i --escape shell_quote
383
386 auditd(8), auditd.conf(5), aureport(8), pam_loginuid(8).
387Red Hat July 2023 AUSEARCH(8)