Home > Package & System Management > aureport

aureport: Generate Audit Log Reports

aureport is a command that analyzes log data collected by the Linux audit system (auditd) and generates reports in various formats. It provides summary information on critical system activities such as security events, user actions, and file access, which are useful for security auditing and troubleshooting.

Overview

aureport reads audit log files recorded by auditd (defaulting to /var/log/audit/audit.log) and generates summarized reports based on specified criteria. This allows for a quick understanding of the system's security status and identification of potential threats.

Key Features

  • Generates log summaries and statistics
  • Provides various types of event reports (logins, file access, executed programs, etc.)
  • Supports security auditing and compliance

Key Options

aureport offers a variety of report types and filtering options.

Report Types

Filtering and Output

Generated command:

Try combining the commands.

Description:

`aureport` Executes the command.

Combine the above options to virtually execute commands with AI.

Usage Examples

Examples of generating various reports using the aureport command.

Report of All Login/Logout Attempts

aureport -l

Checks all login and logout events on the system.

Authentication Attempts from Yesterday to Today

aureport -au --start yesterday

Generates a report on authentication attempts that occurred from midnight yesterday to the present.

File Access Report for This Week

aureport -f --start this-week

Summarizes file access events that occurred this week.

Report of All Programs Executed Today

aureport -x --start today --end now

Generates a report on all programs executed today.

Summary Report of Failed Events

aureport -i --failed

Summarizes only the failed events among all audit events.

Installation

aureport is part of the audit package. If it is not installed by default on your Linux distribution, you can install it using the following commands.

Debian/Ubuntu

sudo apt update && sudo apt install auditd

Install the auditd package using the apt package manager.

CentOS/RHEL

sudo yum install audit

Install the audit package using the yum package manager.

Fedora

sudo dnf install audit

Install the audit package using the dnf package manager.

Tips & Notes

Tips and notes for effectively using aureport.

Useful Tips

  • **Time Specification**: You can use relative time expressions like 'today', 'yesterday', 'this-week', 'this-month', 'now' for the `--start` and `--end` options.
  • **Log File Location**: By default, it uses `/var/log/audit/audit.log`, but this can be changed in the `auditd.conf` configuration.
  • **Performance**: Processing large amounts of log data can be time-consuming. It is recommended to clearly specify the required period and report type.
  • **Using with `ausearch`**: You can first filter logs that meet specific criteria using `ausearch`, and then pipe the results to `aureport` to generate more refined reports. Example: `ausearch -m USER_LOGIN -sv no | aureport -l`

Same category commands

acl

ACL: Access Control List Management

anacron

anacron: Run periodic commands when the system is not running

ansible

ansible: Remote Server Management and Automation

apropos

apropos: Search Manual Pages

apt

APT (Advanced Package Tool) Command Guide