Home > Package & System Management > ausearch

ausearch: Search Audit Logs

ausearch is a command-line tool used to query and analyze the log files of the Linux Audit System. It allows you to search for audit events based on various criteria such as specific events, users, time ranges, and system calls, making it essential for system security auditing, intrusion detection, and compliance verification.

Overview

ausearch queries audit log files, such as `/var/log/audit/audit.log`, to find and output events that match specific conditions. This tool enables efficient tracking and analysis of critical security-related events or user activities on the system.

Key Features

Core functionalities provided by ausearch.

  • Search for activities of specific users or groups
  • Track access and modification changes to files and directories
  • Analyze events for specific system calls (syscalls)
  • Filter audit logs by time
  • View events by message type

Key Options

Useful options when using the ausearch command.

Search Criteria

Time Criteria

Output Format

Generated command:

Try combining the commands.

Description:

`ausearch` Executes the command.

Combine the above options to virtually execute commands with AI.

Usage Examples

Practical examples of using the ausearch command.

Search all activities for a specific user (root)

ausearch -ua root -i

Searches for all audit events performed by the root user and interprets numeric IDs into names.

Search for access attempts to a specific file (/etc/passwd)

ausearch -f /etc/passwd

Searches for all access attempt events for the /etc/passwd file.

Search for all system call (SYSCALL) events today

ausearch -ts today -m SYSCALL

Searches for all system call events that occurred from today up to the current time.

Search for login failure events

ausearch -m USER_LOGIN --success no -i

Searches for user login failure events (message type `USER_LOGIN` and `success=no`).

Search for all audit events for a specific PID

ausearch -p 12345

Searches for all audit events related to a specified Process ID (PID).

Installation

ausearch is part of the Linux Audit System and is typically provided by the 'audit' or 'auditd' package on most major distributions. If it's not installed by default, you can install it using the following commands.

Debian/Ubuntu

sudo apt-get update && sudo apt-get install auditd

Command to install the auditd package on Debian or Ubuntu-based systems.

RHEL/CentOS/Fedora

sudo yum install audit

Command to install the audit package on RHEL, CentOS, or Fedora-based systems.

Tips & Notes

Tips and points to consider for efficient use of ausearch.

Performance Optimization

When searching large amounts of logs, it's crucial to narrow down the search scope.

  • Specify Time Range: Always use the `-ts` and `-te` options to clearly define the time range for your search.
  • Use Specific Fields: Reduce unnecessary log scanning by using specific fields like `-m`, `-f`, `-ua`, `-ui`, etc.

Log File Location

Be aware of the default location of audit log files.

  • Default Path: On most systems, audit logs are stored in `/var/log/audit/audit.log`.

Use with aureport

You can pipe the results filtered by ausearch to aureport to generate summary reports.

  • Example: The command `ausearch -ts today -m SYSCALL | aureport -s` searches for system call events that occurred today and outputs a summary report.

Same category commands

acl

ACL: Access Control List Management

anacron

anacron: Run periodic commands when the system is not running

ansible

ansible: Remote Server Management and Automation

apropos

apropos: Search Manual Pages

apt

APT (Advanced Package Tool) Command Guide