1AUREPORT:(8)            System Administration Utilities           AUREPORT:(8)
2
3
4

NAME

6       aureport - a tool that produces summary reports of audit daemon logs
7

SYNOPSIS

9       aureport [options]
10

DESCRIPTION

12       aureport  is  a  tool that produces summary reports of the audit system
13       logs. The aureport utility can also take input from stdin  as  long  as
14       the  input  is the raw log data. The reports have a column label at the
15       top to help with interpretation of the various fields. Except  for  the
16       main  summary  report, all reports have the audit event number. You can
17       subsequently lookup the full event with ausearch -a event  number.  You
18       may  need  to  specify start & stop times if you get multiple hits. The
19       reports produced by aureport can be used as building  blocks  for  more
20       complicated analysis.
21
22

OPTIONS

24       -au, --auth
25              Report about authentication attempts
26
27       -a, --avc
28              Report about avc messages
29
30       -c, --config
31              Report about config changes
32
33       -cr, --crypto
34              Report about crypto events
35
36       -e, --event
37              Report about events
38
39       -f, --file
40              Report about files
41
42       --failed
43              Only  select  failed  events  for processing in the reports. The
44              default is both success and failed events.
45
46       -h, --host
47              Report about hosts
48
49       -i, --interpret
50              Interpret  numeric  entities into text. For example, uid is con‐
51              verted to account name. The conversion is done using the current
52              resources  of  the machine where the search is being run. If you
53              have renamed the accounts, or don't have the  same  accounts  on
54              your machine, you could get misleading results.
55
56       -if, --input file
57              Use the given file instead if the logs. This is to aid  analysis
58              where  the  logs have been moved to another machine or only part
59              of a log was saved.
60
61       -l, --login
62              Report about logins
63
64       -m, --mods
65              Report about account modifications
66
67       -ma, --mac
68              Report about Mandatory Access Control (MAC) events
69
70       -p, --pid
71              Report about processes
72
73       -r, --response
74              Report about responses to anomaly events
75
76       -s, --syscall
77              Report about syscalls
78
79       --success
80              Only select successful events for processing in the reports. The
81              default is both success and failed events.
82
83       --summary
84              Run the summary report that gives a total of the elements of the
85              main report. Not all reports have a summary.
86
87       -t, --log
88              This option will output a report of the start and end times  for
89              each log.
90
91       -te, --end [end-date] [end-time]
92              Search  for events with time stamps equal to or before the given
93              end time. The format of end time depends on your locale. If  the
94              date  is  omitted, today is assumed. If the time is omitted, now
95              is assumed. Use 24 hour clock time rather than AM or PM to spec‐
96              ify  time.  An example date is 10/24/2005. An example of time is
97              18:00:00.
98
99              You may also  use  the  word:  now,  recent,  today,  yesterday,
100              this-week, this-month, this-year. Today means starting at 1 sec‐
101              ond after midnight. Recent is 10 minutes  ago.  Yesterday  is  1
102              second after midnight the previous day. This-week means starting
103              1 second after midnight on day 0 of the week determined by  your
104              locale (see localtime). This-month means 1 second after midnight
105              on day 1 of the month. This-year means the 1 second  after  mid‐
106              night on the first day of the first month.
107
108       -tm, --terminal
109              Report about terminals
110
111       -ts, --start [start-date] [start-time]
112              Search  for  events with time stamps equal to or after the given
113              end time. The format of end time depends on your locale. If  the
114              date  is omitted, today is assumed. If the time is omitted, mid‐
115              night is assumed. Use 24 hour clock time rather than AM or PM to
116              specify  time. An example date is 10/24/2005. An example of time
117              is 18:00:00.
118
119              You may also  use  the  word:  now,  recent,  today,  yesterday,
120              this-week, this-month, this-year. Today means starting at 1 sec‐
121              ond after midnight. Recent is 10 minutes  ago.  Yesterday  is  1
122              second after midnight the previous day. This-week means starting
123              1 second after midnight on day 0 of the week determined by  your
124              locale (see localtime). This-month means 1 second after midnight
125              on day 1 of the month. This-year means the 1 second  after  mid‐
126              night on the first day of the first month.
127
128       -u, --user
129              Report about users
130
131       -v, --version
132              Print the version and exit
133
134       -x, --executable
135              Report about executables
136
137

SEE ALSO

139       ausearch(8), auditd(8).
140
141
142
143Red Hat                            Nov 2006                       AUREPORT:(8)
Impressum