Inspecting Audit Logs with ausearch and aureport

Working with ausearch and aureport to analyse audit logs on a RHEL system.

The auditing system ships with the ausearch command, which is a powerful tool for searching audit logs.

The aureport is a tool that produces summary reports of the audit system logs.

Searching For and Viewing SELinux Denials

A number of tools are available for viewing SELinux denials, such as ausearch, aureport and sealert.

List all denials:

# ausearch -m avc

List denials since system boot:

# ausearch -m avc --start boot

List denials for a mysqld service:

# ausearch -m avc -c mysqld

Generating Reports

Generate an AVC object summary report:

# aureport -a

Avc Object Summary Report
total  obj
1  system_u:object_r:unreserved_port_t:s0

Generate a summary report for all login events:

# aureport -i --login --summary

Login Summary Report
total  auid
40  vince
24  root
20  alice
8  sandy
1  (unknown)

Generate an executable summary report of command executions:

# aureport -i --executable --summary

Executable Summary Report
total  file
2634  /usr/sbin/crond
2019  /usr/sbin/sshd
976  /usr/lib/systemd/systemd
539  /usr/sbin/xtables-multi
100  /usr/bin/kmod
96  /usr/sbin/ebtables-restore
45  /usr/bin/login
24  /usr/bin/su
21  /usr/lib/systemd/systemd-update-utmp
12  /usr/sbin/useradd
12  /usr/bin/passwd
7  /usr/sbin/groupadd
6  /usr/sbin/faillock
3  /usr/sbin/sshd;5cfab207 (deleted)
2  /usr/sbin/load_policy
2  /usr/bin/sudo
1  /usr/bin/python2.7
1  /usr/sbin/semanage

Retrieve Records Based on Audit Event ID

Find the last login event:

# aureport -i --login|tail -n1
93. 30/06/19 12:41:28 alice /dev/pts/2 /usr/sbin/sshd yes 3197

Retrieve more information about the last login event:

# ausearch -i -a 3197
type=USER_LOGIN msg=audit(30/06/19 12:41:28.984:3197) : pid=8565 uid=root auid=alice ses=211 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=alice exe=/usr/sbin/sshd hostname= addr= terminal=/dev/pts/2 res=success'

Export records in a CSV format:

# ausearch -a 3197 --format csv

2 thoughts on “Inspecting Audit Logs with ausearch and aureport

  1. Hello,

    How could I user aureport on a sosreport file ? I am trying to count login attempts from sosreport but not sure how.

    • I’ve never used aureport for that. I far as I’m aware it works with audit system logs in particular, not sure about sosreport.

Leave a Reply

Your email address will not be published. Required fields are marked *