ausearch(8) — Linux manual page

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXIT STATUS | NOTE | EXAMPLES | SEE ALSO | COLOPHON

AUSEARCH(8)          System Administration Utilities         AUSEARCH(8)

NAME         top

       ausearch - a tool to query audit daemon logs

SYNOPSIS         top

       ausearch [options]

DESCRIPTION         top

       ausearch is a tool that can query the audit daemon logs based for
       events based on different search criteria. The ausearch utility
       can also take input from stdin as long as the input is the raw
       log data. Each commandline option given forms an "and" statement.
       For example, searching with -m and -ui means return events that
       have both the requested type and match the user id given. An
       exception is the -m  and -n options; multiple record types and
       nodes are allowed in a search which will return any matching node
       and record.

       It should also be noted that each syscall excursion from user
       space into the kernel and back into user space has one event ID
       that is unique. Any auditable event that is triggered during this
       trip share this ID so that they may be correlated.

       Different parts of the kernel may add supplemental records. For
       example, an audit event on the syscall "open" will also cause the
       kernel to emit a PATH record with the file name. The ausearch
       utility will present all records that make up one event together.
       This could mean that even though you search for a specific kind
       of record, the resulting events may contain SYSCALL records.

       Also be aware that not all record types have the requested
       information. For example, a PATH record does not have a hostname
       or a loginuid.

OPTIONS         top

       -a, --event audit-event-id
              Search for an event based on the given event ID. Messages
              always start with something like
              msg=audit(1116360555.329:2401771). The event ID is the
              number after the ':'. All audit events that are recorded
              from one application's syscall have the same audit event
              ID. A second syscall made by the same application will
              have a different event ID. This way they are unique.

       --arch CPU
              Search for events based on a specific CPU architecture.
              If you do not know the arch of your machine but you want
              to use the 32 bit syscall table and your machine supports
              32 bits, you can also use b32 for the arch. The same
              applies to the 64 bit syscall table, you can use b64.  The
              arch of your machine can be found by doing 'uname -m'.

       -c, --comm comm-name
              Search for an event based on the given comm name. The comm
              name is the executable's name from the task structure.

       --debug
              Write malformed events that are skipped to stderr.

       --checkpoint checkpoint-file
              Checkpoint the output between successive invocations of
              ausearch such that only events not previously output will
              print in subsequent invocations.

              An auditd event is made up of one or more records. When
              processing events, ausearch defines events as either
              complete or in-complete.  A complete event is either a
              single record event or one whose event time occurred 2
              seconds in the past compared to the event being currently
              processed.

              A checkpoint is achieved by recording the last completed
              event output along with the device number and inode of the
              file the last completed event appeared in checkpoint-file.
              On a subsequent invocation, ausearch will load this
              checkpoint data and as it processes the log files, it will
              discard all complete events until it matches the
              checkpointed one. At this point, it will start outputting
              complete events.

              Should the file or the last checkpointed event not be
              found, one of a number of errors will result and ausearch
              will terminate. See EXIT STATUS for detail.

       --eoe-timeout seconds
              Set the end of event parsing timeout. See
              end_of_event_timeout in auditd.conf(5) for details. Note
              that setting this value will override any configured value
              found in /etc/auditd/auditd.conf.

       -e, --exit exit-code-or-errno
              Search for an event based on the given syscall exit code
              or errno.

       --escape option
              This option determines if the output is escaped to make
              the content safer for certain uses. The options are raw ,
              tty , shell , and shell_quote. Each mode includes the
              characters of the preceding mode and escapes more
              characters. That is to say shell includes all characters
              escaped by tty and adds more. tty is the default.

       --extra-keys
              When the format mode is csv, this option will add a final
              column with key information if its exists for the event.
              This would only occur on SYSCALL records which were the
              result of triggering an audit rule that defines a key.

       --extra-labels
              When the format mode is csv, this option will add columns
              of information about subject and object labels when they
              exist.

       --extra-obj2
              When the format mode is csv, this option will add columns
              of information about a second object when it exists. It's
              rare that a second object is part of a record. Some
              examples are when a file is renamed from one name to
              another or when a device is mounted to a path.

       --extra-time
              When the format mode is csv, this option will add columns
              of information about broken down time to make subsetting
              easier.

       -f, --file file-name
              Search for an event based on the given filename. The
              argument will match normal files as well as af_unix
              sockets.

       --format option
              Events that match the search criteria are formatted using
              this option. The supported formats are: raw, default,
              interpret, csv, and text. The raw option is described
              under the --raw command line option. The default option is
              what you get when no formatting options are passed. It
              includes one line as a visual separator which indicates
              the time stamp and then the records of the event follow.
              The interpret option is explained under the -i command
              line option. The csv option outputs the results of the
              search as a normalized event in comma separated value
              (CSV) format suitable for import into analytical programs.
              The text option turns the event into an English sentence
              that is easier to understand than other options, but it
              comes at the expense of loss of detail. In most cases this
              is perfectly fine since the original event still retains
              all the original information.

       -ga, --gid-all all-group-id
              Search for an event with either effective group ID or
              group ID matching the given group ID.

       -ge, --gid-effective effective-group-id
              Search for an event with the given effective group ID or
              group name.

       -gi, --gid group-id
              Search for an event with the given group ID or group name.

       -h, --help
              Help

       -hn, --host host-name
              Search for an event with the given host name. The hostname
              can be either a hostname, fully qualified domain name, or
              numeric network address. No attempt is made to resolve
              numeric addresses to domain names or aliases. This search
              typically correlates to the addr or host field of audit
              events. Also see the --node command which searches the
              node field.

       -i, --interpret
              Interpret numeric entities into text. For example, uid is
              converted to account name. If the audit logs are
              unenriched, the conversion is done using the current
              resources of the machine where the search is being run. If
              you have renamed the accounts, or don't have the same
              accounts on your machine, you could get misleading
              results. If the logs are enriched, it uses the
              supplemental data to do the conversion. This allows
              accurate log reporting even when run on a different
              machine than the original logs came from.

       -if, --input file-name | directory
              Use the given file or directory instead of the logs. This
              is to aid analysis where the logs have been moved to
              another machine or only part of a log was saved. The path
              length is limited to 4064 bytes.

       --input-logs
              Use the log file location from auditd.conf as input for
              searching. This is needed if you are using ausearch from a
              cron job.

       --just-one
              Stop after emitting the first event that matches the
              search criteria.

       -k, --key key-string
              Search for an event based on the given key string.

       -l, --line-buffered
              Flush output on every line. Most useful when stdout is
              connected to a pipe and the default block buffering
              strategy is undesirable. May impose a performance penalty.

       -m, --message message-type | comma-sep-message-type-list
              Search for an event matching the given message type.
              (Message types are also known as record types.) You may
              also enter a comma separated list of message types or
              multiple individual message types each with its own -m
              option. There is an ALL message type that doesn't exist in
              the actual logs. It allows you to get all messages in the
              system. The list of valid messages types is long. The
              program will display the list whenever no message type is
              passed with this parameter. The message type can be either
              text or numeric. If you enter a list, there can be only
              commas and no spaces separating the list.

       -n, --node
              Search for events originating from a specific machine.
              Multiple nodes are allowed, and if any nodes match, the
              event is matched. This search uses the node field in audit
              events. Also see the --host command which search for
              events related to host information in the audit trail.

       -o, --object SE-Linux-context-string
              Search for event with tcontext (object) matching the
              string.

       -p, --pid process-id
              Search for an event matching the given process ID.

       -pp, --ppid parent-process-id
              Search for an event matching the given parent process ID.

       -r, --raw
              Output is completely unformatted. This is useful for
              extracting records to a file that can still be interpreted
              by audit tools or when piping to other audit tools.

       -sc, --syscall syscall-name-or-value
              Search for an event matching the given syscall. You may
              either give the numeric syscall value or the syscall name.
              If you give the syscall name, it will use the syscall
              table for the machine that you are using.

       -se, --context SE-Linux-context-string
              Search for events with either scontext/subject or
              tcontext/object matching the given string.

       --session Login-Session-ID
              Search for events matching the given Login Session ID.
              This process attribute is set when a user logs in and can
              tie any process to a particular user login.

       -su, --subject SE-Linux-context-string
              Search for event with scontext (subject) matching the
              string.

       -sv, --success success-value
              Search for an event matching the given success value.
              Legal values are yes and no.

       -te, --end [end-date] [end-time]
              Search for events with time stamps equal to or before the
              given end time. The format of end time depends on your
              locale. You can check the format of your locale by running
              date '+%x'.  If the date is omitted, today is assumed. If
              the time is omitted, now is assumed. Use 24 hour clock
              time rather than AM or PM to specify time. An example date
              using the en_US.utf8 locale is 09/03/2009. An example of
              time is 18:00:00. The date format accepted is influenced
              by the LC_TIME environmental variable.

              You may also use the word: now, recent, this-hour, boot,
              today, yesterday, this-week, week-ago, this-month, or
              this-year. Now means starting now. Recent is 10 minutes
              ago. Boot means the time of day to the second when the
              system last booted. Today means now. Yesterday is 1 second
              after midnight the previous day. This-week means starting
              1 second after midnight on day 0 of the week determined by
              your locale (see localtime). Week-ago means 1 second after
              midnight exactly 7 days ago. This-month means 1 second
              after midnight on day 1 of the month. This-year means the
              1 second after midnight on the first day of the first
              month.

       -ts, --start [start-date] [start-time]
              Search for events with time stamps equal to or after the
              given start time. The format of start time depends on your
              locale. You can check the format of your locale by running
              date '+%x'.  If the date is omitted, today is assumed. If
              the time is omitted, midnight is assumed. Use 24 hour
              clock time rather than AM or PM to specify time. An
              example date using the en_US.utf8 locale is 09/03/2009. An
              example of time is 18:00:00. The date format accepted is
              influenced by the LC_TIME environmental variable.

              You may also use the word: now, recent, this-hour, boot,
              today, yesterday, this-week, week-ago, this-month,
              this-year, or checkpoint. Boot means the time of day to
              the second when the system last booted. Today means
              starting at 1 second after midnight. Recent is 10 minutes
              ago. Yesterday is 1 second after midnight the previous
              day. This-week means starting 1 second after midnight on
              day 0 of the week determined by your locale (see
              localtime). Week-ago means starting 1 second after
              midnight exactly 7 days ago. This-month means 1 second
              after midnight on day 1 of the month. This-year means the
              1 second after midnight on the first day of the first
              month.

              checkpoint means ausearch will use the timestamp found
              within a valid checkpoint file ignoring the recorded
              inode, device, serial, node and event type also found
              within a checkpoint file. Essentially, this is the
              recovery action should an invocation of ausearch with a
              checkpoint option fail with an exit status of 10, 11 or
              12. It could be used in a shell script something like:

                   ausearch --checkpoint /etc/audit/auditd_checkpoint.txt -i
                   _au_status=$?
                   if test ${_au_status} eq 10 -o ${_au_status} eq 11 -o ${_au_status} eq 12
                   then
                     ausearch --checkpoint /etc/audit/auditd_checkpoint.txt --start checkpoint -i
                   fi

       -tm, --terminal terminal
              Search for an event matching the given terminal value.
              Some daemons such as cron and atd use the daemon name for
              the terminal.

       -ua, --uid-all all-user-id
              Search for an event with either user ID, effective user
              ID, or login user ID (auid) matching the given user ID.

       -ue, --uid-effective effective-user-id
              Search for an event with the given effective user ID.

       -ui, --uid user-id
              Search for an event with the given user ID.

       -ul, --loginuid login-id
              Search for an event with the given login user ID. All
              entry point programs that are PAMified need to be
              configured with pam_loginuid required for the session for
              searching on loginuid (auid) to be accurate.

       -uu, --uuid guest-uuid
              Search for an event with the given guest UUID.

       -v, --version
              Print the version and exit

       -vm, --vm-name guest-name
              Search for an event with the given guest name.

       -w, --word
              String based matches must match the whole word. This
              category of matches include: filename, hostname, terminal,
              keys, and SE Linux context.

       -x, --executable executable
              Search for an event matching the given executable name.

EXIT STATUS         top

       0    if OK,

       1    if nothing found, or argument errors or minor file
            access/read errors,

       10   invalid checkpoint data found in checkpoint file,

       11   checkpoint processing error

       12   checkpoint event not found in matching log file

NOTE         top

       The boot time option is a convenience function and has
       limitations. The time it calculates is based on time now minus
       /proc/uptime. If after boot the system clock has been adjusted,
       perhaps by ntp, then the calculation may be wrong. In that case
       you'll need to fully specify the time. You can check the time it
       would use by running:

       date -d "`cut -f1 -d. /proc/uptime` seconds ago"

EXAMPLES         top

       Search for a specific user:
       # ausearch --start today --loginuid john -i

       Check the SELinux log for any denials today
       # ausearch --start today -m avc -i

       Output any recent SELinux log
       # ausearch -m avc,user_avc,selinux_err,user_selinux_err -i -ts recent

       Output logs in text format
       # ausearch --start today --format text

       Output TTY events interpreted and shell escaped
       # ausearch --start today -m TTY -i --escape shell_quote

SEE ALSO         top

       auditd(8), auditd.conf(5), aureport(8), pam_loginuid(8).

COLOPHON         top

       This page is part of the audit (Linux Audit) project.
       Information about the project can be found at 
       ⟨http://people.redhat.com/sgrubb/audit/⟩.  If you have a bug
       report for this manual page, send it to linux-audit@redhat.com.
       This page was obtained from the project's upstream Git repository
       ⟨https://github.com/linux-audit/audit-userspace.git⟩ on
       2024-06-14.  (At that time, the date of the most recent commit
       that was found in the repository was 2024-06-12.)  If you
       discover any rendering problems in this HTML version of the page,
       or you believe there is a better or more up-to-date source for
       the page, or you have corrections or improvements to the
       information in this COLOPHON (which is not part of the original
       manual page), send a mail to man-pages@man7.org

Red Hat                         July 2023                    AUSEARCH(8)

Pages that refer to this page: auditd.conf(5)auditctl(8)auditd(8)aureport(8)rpm-plugin-audit(8)