ausearch - a tool to query audit daemon logs
ausearch is a tool that can query the audit daemon logs
based for events based on different search criteria. The ausearch utility
can also take input from stdin as long as the input is the raw log data.
Each commandline option given forms an "and" statement. For
example, searching with -m and -ui means return events that
have both the requested type and match the user id given. An exception is
the -m and -n options; multiple record types and nodes are
allowed in a search which will return any matching node and record.
It should also be noted that each syscall excursion from user
space into the kernel and back into user space has one event ID that is
unique. Any auditable event that is triggered during this trip share this ID
so that they may be correlated.
Different parts of the kernel may add supplemental records. For
example, an audit event on the syscall "open" will also cause the
kernel to emit a PATH record with the file name. The ausearch utility will
present all records that make up one event together. This could mean that
even though you search for a specific kind of record, the resulting events
may contain SYSCALL records.
Also be aware that not all record types have the requested
information. For example, a PATH record does not have a hostname or a
loginuid.
- -a, --event audit-event-id
- Search for an event based on the given event ID. Messages always
start with something like msg=audit(1116360555.329:2401771). The event ID
is the number after the ':'. All audit events that are recorded from one
application's syscall have the same audit event ID. A second syscall made
by the same application will have a different event ID. This way they are
unique.
- --arch CPU
- Search for events based on a specific CPU architecture. If you do not know
the arch of your machine but you want to use the 32 bit syscall table and
your machine supports 32 bits, you can also use b32 for the arch.
The same applies to the 64 bit syscall table, you can use b64. The
arch of your machine can be found by doing 'uname -m'.
- -c, --comm comm-name
- Search for an event based on the given comm name. The comm name is
the executable's name from the task structure.
- --debug
- Write malformed events that are skipped to stderr.
- --checkpoint checkpoint-file
- Checkpoint the output between successive invocations of ausearch such that
only events not previously output will print in subsequent invocations.
An auditd event is made up of one or more records. When
processing events, ausearch defines events as either complete or
in-complete. A complete event is either a single record event or one
whose event time occurred 2 seconds in the past compared to the event
being currently processed.
A checkpoint is achieved by recording the last completed event
output along with the device number and inode of the file the last
completed event appeared in checkpoint-file. On a subsequent
invocation, ausearch will load this checkpoint data and as it processes
the log files, it will discard all complete events until it matches the
checkpointed one. At this point, it will start outputting complete
events.
Should the file or the last checkpointed event not be found,
one of a number of errors will result and ausearch will terminate. See
EXIT STATUS for detail.
- -e, --exit exit-code-or-errno
- Search for an event based on the given syscall exit code or
errno.
- --escape option
- This option determines if the output is escaped to make the content safer
for certain uses. The options are raw , tty , shell ,
and shell_quote. Each mode includes the characters of the preceding
mode and escapes more characters. That is to say shell includes all
characters escaped by tty and adds more. tty is the
default.
- When the format mode is csv, this option will add a final
column with key information if its exists for the event. This would only
occur on SYSCALL records which were the result of triggering an audit rule
that defines a key.
- When the format mode is csv, this option will add columns of
information about subject and object labels when they exist.
- When the format mode is csv, this option will add columns of
information about a second object when it exists. It's rare that a second
object is part of a record. Some examples are when a file is renamed from
one name to another or when a device is mounted to a path.
- When the format mode is csv, this option will add columns of
information about broken down time to make subsetting easier.
- -f, --file file-name
- Search for an event based on the given filename. The argument will
match normal files as well as af_unix sockets.
- --format option
- Events that match the search criteria are formatted using this option. The
supported formats are: raw, default, interpret, csv, and text. The
raw option is described under the --raw command line option.
The default option is what you get when no formatting options are
passed. It includes one line as a visual separator which indicates the
time stamp and then the records of the event follow. The interpret
option is explained under the -i command line option. The
csv option outputs the results of the search as a normalized event
in comma separated value (CSV) format suitable for import into analytical
programs. The text option turns the event into an English sentence
that is easier to understand than other options, but it comes at the
expense of loss of detail. In most cases this is perfectly fine since the
original event still retains all the original information.
- -ga, --gid-all all-group-id
- Search for an event with either effective group ID or group ID matching
the given group ID.
- -ge, --gid-effective effective-group-id
- Search for an event with the given effective group ID or group
name.
- -gi, --gid group-id
- Search for an event with the given group ID or group name.
- -h, --help
- Help
- -hn, --host host-name
- Search for an event with the given host name. The hostname can be
either a hostname, fully qualified domain name, or numeric network
address. No attempt is made to resolve numeric addresses to domain names
or aliases. This search typically correlates to the addr or host field of
audit events. Also see the --node command which searches the node
field.
- -i, --interpret
- Interpret numeric entities into text. For example, uid is converted to
account name. If the audit logs are unenriched, the conversion is done
using the current resources of the machine where the search is being run.
If you have renamed the accounts, or don't have the same accounts on your
machine, you could get misleading results. If the logs are enriched, it
uses the supplemental data to do the conversion. This allows accurate log
reporting even when run on a different machine than the original logs came
from.
- -if, --input file-name | directory
- Use the given file or directory instead of the logs. This is
to aid analysis where the logs have been moved to another machine or only
part of a log was saved.
- --input-logs
- Use the log file location from auditd.conf as input for searching. This is
needed if you are using ausearch from a cron job.
- --just-one
- Stop after emitting the first event that matches the search criteria.
- -k, --key key-string
- Search for an event based on the given key string.
- -l, --line-buffered
- Flush output on every line. Most useful when stdout is connected to a pipe
and the default block buffering strategy is undesirable. May impose a
performance penalty.
- -m, --message message-type | comma-sep-message-type-list
- Search for an event matching the given message type. (Message types
are also known as record types.) You may also enter a comma separated
list of message types or multiple individual message types each with
its own -m option. There is an ALL message type that doesn't
exist in the actual logs. It allows you to get all messages in the system.
The list of valid messages types is long. The program will display the
list whenever no message type is passed with this parameter. The message
type can be either text or numeric. If you enter a list, there can be only
commas and no spaces separating the list.
- -n, --node
- Search for events originating from a specific machine. Multiple nodes are
allowed, and if any nodes match, the event is matched. This search uses
the node field in audit events. Also see the --host command which search
for events related to host information in the audit trail.
- -o, --object SE-Linux-context-string
- Search for event with tcontext (object) matching the string.
- -p, --pid process-id
- Search for an event matching the given process ID.
- -pp, --ppid parent-process-id
- Search for an event matching the given parent process ID.
- -r, --raw
- Output is completely unformatted. This is useful for extracting records to
a file that can still be interpreted by audit tools or when piping to
other audit tools.
- -sc, --syscall syscall-name-or-value
- Search for an event matching the given syscall. You may either give
the numeric syscall value or the syscall name. If you give the syscall
name, it will use the syscall table for the machine that you are
using.
- -se, --context SE-Linux-context-string
- Search for event with either scontext/subject or
tcontext/object matching the string.
- --session Login-Session-ID
- Search for events matching the given Login Session ID. This process
attribute is set when a user logs in and can tie any process to a
particular user login.
- -su, --subject SE-Linux-context-string
- Search for event with scontext (subject) matching the string.
- -sv, --success success-value
- Search for an event matching the given success value. Legal values
are yes and no.
- -te, --end [end-date] [end-time]
- Search for events with time stamps equal to or before the given end time.
The format of end time depends on your locale. You can check the format of
your locale by running date '+%x'. If the date is omitted,
today is assumed. If the time is omitted, now is assumed.
Use 24 hour clock time rather than AM or PM to specify time. An example
date using the en_US.utf8 locale is 09/03/2009. An example of time is
18:00:00. The date format accepted is influenced by the LC_TIME
environmental variable.
You may also use the word: now, recent,
boot, today, yesterday, this-week,
week-ago, this-month, or this-year. Now
means starting now. Recent is 10 minutes ago. Boot means
the time of day to the second when the system last booted. Today
means now. Yesterday is 1 second after midnight the previous day.
This-week means starting 1 second after midnight on day 0 of the
week determined by your locale (see localtime). Week-ago
means 1 second after midnight exactly 7 days ago. This-month
means 1 second after midnight on day 1 of the month. This-year
means the 1 second after midnight on the first day of the first
month.
- -ts, --start [start-date] [start-time]
- Search for events with time stamps equal to or after the given start time.
The format of start time depends on your locale. You can check the format
of your locale by running date '+%x'. If the date is omitted,
today is assumed. If the time is omitted, midnight is
assumed. Use 24 hour clock time rather than AM or PM to specify time. An
example date using the en_US.utf8 locale is 09/03/2009. An example of time
is 18:00:00. The date format accepted is influenced by the LC_TIME
environmental variable.
You may also use the word: now, recent,
boot, today, yesterday, this-week,
week-ago, this-month, this-year, or
checkpoint. Boot means the time of day to the second when
the system last booted. Today means starting at 1 second after
midnight. Recent is 10 minutes ago. Yesterday is 1 second
after midnight the previous day. This-week means starting 1
second after midnight on day 0 of the week determined by your locale
(see localtime). Week-ago means starting 1 second after
midnight exactly 7 days ago. This-month means 1 second after
midnight on day 1 of the month. This-year means the 1 second
after midnight on the first day of the first month.
checkpoint means ausearch will use the timestamp
found within a valid checkpoint file ignoring the recorded inode,
device, serial, node and event type also found within a checkpoint file.
Essentially, this is the recovery action should an invocation of
ausearch with a checkpoint option fail with an exit status of 10,
11 or 12. It could be used in a shell script something like:
ausearch --checkpoint /etc/audit/auditd_checkpoint.txt -i
_au_status=$?
if test ${_au_status} eq 10 -o ${_au_status} eq 11 -o ${_au_status} eq 12
then
ausearch --checkpoint /etc/audit/auditd_checkpoint.txt --start checkpoint -i
fi
- -tm, --terminal terminal
- Search for an event matching the given terminal value. Some daemons
such as cron and atd use the daemon name for the terminal.
- -ua, --uid-all all-user-id
- Search for an event with either user ID, effective user ID, or login user
ID (auid) matching the given user ID.
- -ue, --uid-effective effective-user-id
- Search for an event with the given effective user ID.
- -ui, --uid user-id
- Search for an event with the given user ID.
- -ul, --loginuid login-id
- Search for an event with the given login user ID. All entry point
programs that are pamified need to be configured with pam_loginuid
required for the session for searching on loginuid (auid) to be
accurate.
- -uu, --uuid guest-uuid
- Search for an event with the given guest UUID.
- -v, --version
- Print the version and exit
- -vm, --vm-name guest-name
- Search for an event with the given guest name.
- -w, --word
- String based matches must match the whole word. This category of matches
include: filename, hostname, terminal, keys, and SE Linux context.
- -x, --executable executable
- Search for an event matching the given executable name.
- 0
- if OK,
- 1
- if nothing found, or argument errors or minor file acces/read errors,
- 10
- invalid checkpoint data found in checkpoint file,
- 11
- checkpoint processing error
- 12
- checkpoint event not found in matching log file
The boot time option is a convenience function and has
limitations. The time it calculates is based on time now minus /proc/uptime.
If after boot the system clock has been adjusted, perhaps by ntp, then the
calculation may be wrong. In that case you'll need to fully specify the
time. You can check the time it would use by running:
date -d "`cut -f1 -d. /proc/uptime` seconds ago"