1AUSEARCH:(8) System Administration Utilities AUSEARCH:(8)
2
6 ausearch - a tool to query audit daemon logs
7
9 ausearch [options]
10
12 ausearch is a tool that can query the audit daemon logs based for
13 events based on different search criteria. The ausearch utility can
14 also take input from stdin as long as the input is the raw log data.
15 Each commandline option given forms an "and" statement. For example,
16 searching with -m and -ui means return events that have both the
17 requested type and match the user id given.
18 It should also be noted that each syscall excursion from user space
20 into the kernel and back into user space has one event ID that is
21 unique. Any auditable event that is triggered during this trip share
22 this ID so that they may be correlated.
23 Different parts of the kernel may add supplemental records. For exam‐
25 ple, an audit event on the syscall "open" will also cause the kernel to
26 emit a PATH record with the file name. The ausearch utility will
27 present all records that make up one event together. This could mean
28 that even though you search for a specific kind of record, the result‐
29 ing events may contain SYSCALL records.
30 Also be aware that not all record types have the requested information.
32 For example, a PATH record does not have a hostname or a loginuid.
33
36 -a, --event audit-event-id
37 Search for an event based on the given event ID. Messages always
38 start with something like msg=audit(1116360555.329:2401771). The
39 event ID is the number after the ':'. All audit events that are
40 recorded from one application's syscall have the same audit
41 event ID. A second syscall made by the same application will
42 have a different event ID. This way they are unique.
43 -c, --comm comm-name
45 Search for an event based on the given comm name. The comm name
46 is the executable's name from the task structure.
47 -f, --file file-name
49 Search for an event based on the given filename.
50 -ga, --gid-all all-group-id
52 Search for an event with either effective group ID or group ID
53 matching the given group ID.
54 -ge, --gid-effective effective-group-id
56 Search for an event with the given effective group ID or group
57 name.
58 -gi, --gid group-id
60 Search for an event with the given group ID or group name.
61 -h, --help
63 Help
64 -hn, --host host-name
66 Search for an event with the given host name. The hostname can
67 be either a hostname, fully qualified domain name, or numeric
68 network address. No attempt is made to resolve numeric addresses
69 to domain names or aliases.
70 -i, --interpret
72 Interpret numeric entities into text. For example, uid is con‐
73 verted to account name. The conversion is done using the current
74 resources of the machine where the search is being run. If you
75 have renamed the accounts, or don't have the same accounts on
76 your machine, you could get misleading results.
77 -if, --input file-name
79 Use the given file instead if the logs. This is to aid analysis
80 where the logs have been moved to another machine or only part
81 of a log was saved.
82 -k, --key key-string
84 Search for an event based on the given key string.
85 -m, --message message-type | comma-sep-message-type-list
87 Search for an event matching the given message type. You may
88 also enter a comma separated list of message types. There is an
89 ALL message type that doesn't exist in the actual logs. It
90 allows you to get all messages in the system. The list of valid
91 messages types is long. The program will display the list when‐
92 ever no message type is passed with this parameter. The message
93 type can be either text or numeric. If you enter a list, there
94 can be only commas and no spaces separating the list.
95 -o, --object SE-Linux-context-string
97 Search for event with tcontext (object) matching the string.
98 -p, --pid process-id
100 Search for an event matching the given process ID.
101 -pp, --ppid parent-process-id
103 Search for an event matching the given parent process ID.
104 -r, --raw
106 Output is completely unformatted. This is useful for extracting
107 records that can still be interpretted by audit tools.
108 -sc, --syscall syscall-name-or-value
110 Search for an event matching the given syscall. You may either
111 give the numeric syscall value or the syscall name. If you give
112 the syscall name, it will use the syscall table for the machine
113 that you are using.
114 -se, --context SE-Linux-context-string
116 Search for event with either scontext/subject or tcontext/object
117 matching the string.
118 -su, --subject SE-Linux-context-string
120 Search for event with scontext (subject) matching the string.
121 -sv, --success success-value
123 Search for an event matching the given success value. Legal val‐
124 ues are yes and no.
125 -te, --end [end-date] [end-time]
127 Search for events with time stamps equal to or before the given
128 end time. The format of end time depends on your locale. If the
129 date is omitted, today is assumed. If the time is omitted, now
130 is assumed. Use 24 hour clock time rather than AM or PM to spec‐
131 ify time. An example date is 10/24/2005. An example of time is
132 18:00:00.
133 You may also use the word: now, recent, today, yesterday,
135 this-week, this-month, this-year. Today means starting at 1 sec‐
136 ond after midnight. Recent is 10 minutes ago. Yesterday is 1
137 second after midnight the previous day. This-week means starting
138 1 second after midnight on day 0 of the week determined by your
139 locale (see localtime). This-month means 1 second after midnight
140 on day 1 of the month. This-year means the 1 second after mid‐
141 night on the first day of the first month.
142 -ts, --start [start-date] [start-time]
144 Search for events with time stamps equal to or after the given
145 end time. The format of end time depends on your locale. If the
146 date is omitted, today is assumed. If the time is omitted, mid‐
147 night is assumed. Use 24 hour clock time rather than AM or PM to
148 specify time. An example date is 10/24/2005. An example of time
149 is 18:00:00.
150 You may also use the word: now, recent, today, yesterday,
152 this-week, this-month, this-year. Today means starting at 1 sec‐
153 ond after midnight. Recent is 10 minutes ago. Yesterday is 1
154 second after midnight the previous day. This-week means starting
155 1 second after midnight on day 0 of the week determined by your
156 locale (see localtime). This-month means 1 second after midnight
157 on day 1 of the month. This-year means the 1 second after mid‐
158 night on the first day of the first month.
159 -tm, --terminal terminal
161 Search for an event matching the given terminal value. Some dae‐
162 mons such as cron and atd use the daemon name for the terminal.
163 -ua, --uid-all all-user-id
165 Search for an event with either user ID, effective user ID, or
166 login user ID (auid) matching the given user ID.
167 -ue, --uid-effective effective-user-id
169 Search for an event with the given effective user ID.
170 -ui, --uid user-id
172 Search for an event with the given user ID.
173 -ul, --loginuid login-id
175 Search for an event with the given login user ID. All entry
176 point programs that are pamified need to be configured with
177 pam_loginuid required for the session for searching on loginuid
178 (auid) to be accurate.
179 -v, --verbose
181 Print the version and exit
182 -w, --word
184 String based matches must match the whole word. This category of
185 matches include: filename, hostname, terminal, and SE Linux con‐
186 text.
187 -x, --executable executable
189 Search for an event matching the given executable name.
190
193 auditd(8), pam_loginuid(8).
194Red Hat Nov 2006 AUSEARCH:(8)