Startpagina > Pakket- en systeembeheer > ausearch

ausearch: Audit log search

ausearch is a command-line tool used to query and analyze log files of the Linux Audit System. It allows you to search audit events based on various criteria such as specific events, users, time ranges, and system calls, making it essential for system security auditing, intrusion detection, and compliance verification.

Overview

ausearch finds and outputs events from audit log files, such as `/var/log/audit/audit.log`, that meet specific conditions. This tool enables efficient tracking and analysis of critical security-related events or user activities on the system.

Key Features

Core functionalities provided by ausearch.

  • Search for activities of specific users or groups
  • Track access changes to files and directories
  • Analyze events of specific system calls (syscalls)
  • Filter audit logs by time
  • View events by message type

Main Options

Useful main options when using the ausearch command.

Search Criteria

Time Criteria

Output Format

Gegenereerde opdracht:

Probeer de opdrachtcombinaties.

Uitleg:

`ausearch` Voer het commando uit.

Combineer deze opties en voer de opdracht virtueel uit met de AI.

Usage Examples

Practical examples of using the ausearch command.

Search all activities of a specific user (root)

ausearch -ua root -i

Searches for all audit events performed by the root user and interprets numeric IDs into names.

Search for access attempts to a specific file (/etc/passwd)

ausearch -f /etc/passwd

Searches for all access attempt events for the /etc/passwd file.

Search for all system call (SYSCALL) events that occurred today

ausearch -ts today -m SYSCALL

Searches for all system call events from today's date up to the current time.

Search for login failure events

ausearch -m USER_LOGIN --success no -i

Searches for user login failure events (message type USER_LOGIN and success=no).

Search for all audit events for a specific PID

ausearch -p 12345

Searches for all audit events related to a specified Process ID (PID).

Installation

ausearch is part of the Linux Audit System and is typically provided by the 'audit' or 'auditd' package on most major distributions. If it's not installed by default, you can install it using the following commands.

Debian/Ubuntu

sudo apt-get update && sudo apt-get install auditd

Command to install the auditd package on Debian or Ubuntu-based systems.

RHEL/CentOS/Fedora

sudo yum install audit

Command to install the audit package on RHEL, CentOS, or Fedora-based systems.

Tips & Notes

Tips and points to note for efficient use of ausearch.

Performance Optimization

When searching large amounts of logs, it's crucial to narrow down the search scope.

  • Specify Time Range: Always use the `-ts` and `-te` options to clearly define the time range for your search.
  • Use Specific Fields: Reduce unnecessary log scanning by using specific fields like `-m`, `-f`, `-ua`, `-ui`.

Log File Location

Be aware of the default audit log file location.

  • Default Path: On most systems, audit logs are stored in `/var/log/audit/audit.log`.

Use with aureport

You can pipe the results filtered by ausearch to aureport to generate summary reports.

  • Example: The command `ausearch -ts today -m SYSCALL | aureport -s` searches for system call events that occurred today and outputs a summary report.

Hétzelfde categoriecommando

acl

ACL: Toegangscontrolelijstbeheer

anacron

anacron: periodieke taken uitvoeren na systeemopstart

ansible

ansible: Beheer en automatisering van servers op afstand

apropos

apropos: Handboekpagina's zoeken

apt

APT (Advanced Package Tool) Commandogids