Inspecting Audit Logs with ausearch and aureport

Working with ausearch and aureport to analyse audit logs on a RHEL system.

The auditing system ships with the ausearch command, which is a powerful tool for searching audit logs.

The aureport is a tool that produces summary reports of the audit system logs.

Searching For and Viewing SELinux Denials

A number of tools are available for viewing SELinux denials, such as ausearch, aureport and sealert.

List all denials:

# ausearch -m avc

List denials since system boot:

# ausearch -m avc --start boot

List denials for a mysqld service:

# ausearch -m avc -c mysqld

Generating Reports

Generate an AVC object summary report:

# aureport -a

Avc Object Summary Report
total  obj
1  system_u:object_r:unreserved_port_t:s0

Generate a summary report for all login events:

# aureport -i --login --summary

Login Summary Report
total  auid
40  vince
24  root
20  alice
8  sandy
1  (unknown)

Generate an executable summary report of command executions:

# aureport -i --executable --summary

Executable Summary Report
total  file
2634  /usr/sbin/crond
2019  /usr/sbin/sshd
976  /usr/lib/systemd/systemd
539  /usr/sbin/xtables-multi
100  /usr/bin/kmod
96  /usr/sbin/ebtables-restore
45  /usr/bin/login
24  /usr/bin/su
21  /usr/lib/systemd/systemd-update-utmp
12  /usr/sbin/useradd
12  /usr/bin/passwd
7  /usr/sbin/groupadd
6  /usr/sbin/faillock
3  /usr/sbin/sshd;5cfab207 (deleted)
2  /usr/sbin/load_policy
2  /usr/bin/sudo
1  /usr/bin/python2.7
1  /usr/sbin/semanage

Retrieve Records Based on Audit Event ID

Find the last login event:

# aureport -i --login|tail -n1
93. 30/06/19 12:41:28 alice /dev/pts/2 /usr/sbin/sshd yes 3197

Retrieve more information about the last login event:

# ausearch -i -a 3197
type=USER_LOGIN msg=audit(30/06/19 12:41:28.984:3197) : pid=8565 uid=root auid=alice ses=211 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=alice exe=/usr/sbin/sshd hostname= addr= terminal=/dev/pts/2 res=success'

Export records in a CSV format:

# ausearch -a 3197 --format csv

4 thoughts on “Inspecting Audit Logs with ausearch and aureport

  1. Hello,

    How could I user aureport on a sosreport file ? I am trying to count login attempts from sosreport but not sure how.

    • I’ve never used aureport for that. I far as I’m aware it works with audit system logs in particular, not sure about sosreport.

  2. You may extract the sosreport and once extracted you may refer the following to locate the audit file on the exacted sosreport..
    aureport -if -l – -summary -i

Leave a Reply

Your email address will not be published. Required fields are marked *