Inspecting Audit Logs with ausearch and aureport

Working with ausearch and aureport to analyse audit logs on a RHEL system.

The auditing system ships with the ausearch command, which is a powerful tool for searching audit logs.

The aureport is a tool that produces summary reports of the audit system logs.

Searching For and Viewing SELinux Denials

A number of tools are available for viewing SELinux denials, such as ausearch, aureport and sealert.

List all denials:

# ausearch -m avc

List denials since system boot:

# ausearch -m avc --start boot

List denials for a mysqld service:

# ausearch -m avc -c mysqld

Generating Reports

Generate an AVC object summary report:

# aureport -a

Avc Object Summary Report
=================================
total  obj
=================================
1  system_u:object_r:unreserved_port_t:s0

Generate a summary report for all login events:

# aureport -i --login --summary

Login Summary Report
============================
total  auid
============================
40  vince
24  root
20  alice
8  sandy
1  (unknown)

Generate an executable summary report of command executions:

# aureport -i --executable --summary

Executable Summary Report
=================================
total  file
=================================
2634  /usr/sbin/crond
2019  /usr/sbin/sshd
976  /usr/lib/systemd/systemd
539  /usr/sbin/xtables-multi
100  /usr/bin/kmod
96  /usr/sbin/ebtables-restore
45  /usr/bin/login
24  /usr/bin/su
21  /usr/lib/systemd/systemd-update-utmp
12  /usr/sbin/useradd
12  /usr/bin/passwd
7  /usr/sbin/groupadd
6  /usr/sbin/faillock
3  /usr/sbin/sshd;5cfab207 (deleted)
2  /usr/sbin/load_policy
2  /usr/bin/sudo
1  /usr/bin/python2.7
1  /usr/sbin/semanage

Retrieve Records Based on Audit Event ID

Find the last login event:

# aureport -i --login|tail -n1
93. 30/06/19 12:41:28 alice 10.11.1.10 /dev/pts/2 /usr/sbin/sshd yes 3197

Retrieve more information about the last login event:

# ausearch -i -a 3197
----
type=USER_LOGIN msg=audit(30/06/19 12:41:28.984:3197) : pid=8565 uid=root auid=alice ses=211 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=alice exe=/usr/sbin/sshd hostname=10.11.1.10 addr=10.11.1.10 terminal=/dev/pts/2 res=success'

Export records in a CSV format:

# ausearch -a 3197 --format csv
NODE,EVENT,DATE,TIME,SERIAL_NUM,EVENT_KIND,SESSION,SUBJ_PRIME,SUBJ_SEC,SUBJ_KIND,ACTION,RESULT,OBJ_PRIME,OBJ_SEC,OBJ_KIND,HOW
,USER_LOGIN,30/06/19,12:41:28,3197,user-login,211,alice,,,logged-in,success,/dev/pts/2,,user-session,/usr/sbin/sshd

4 thoughts on “Inspecting Audit Logs with ausearch and aureport

  1. Hello,

    How could I user aureport on a sosreport file ? I am trying to count login attempts from sosreport but not sure how.

    • I’ve never used aureport for that. I far as I’m aware it works with audit system logs in particular, not sure about sosreport.

  2. You may extract the sosreport and once extracted you may refer the following to locate the audit file on the exacted sosreport..
    Example
    aureport -if -l – -summary -i

Leave a Reply

Your email address will not be published. Required fields are marked *