ausearch



AUSEARCH:(8)            System Administration Utilities           AUSEARCH:(8)




NAME

       ausearch - a tool to query audit daemon logs


SYNOPSIS

       ausearch [ options ]


DESCRIPTION

       ausearch  is  a  tool  that  can  query the audit daemon logs based for
       events based on different  search  criteria.  Each  commandline  option
       given  forms an "and" statement. For example, searching with -m and -ui
       means return events that have both the requested  type  and  match  the
       user id given.

       It  should  also  be  noted that each syscall excursion from user space
       into the kernel and back into user space  has  one  event  ID  that  is
       unique.  Any  auditable  event that is triggered during this trip share
       this ID so that they may be correlated.

       Different parts of the kernel may add supplemental records.  For  exam-
       ple, an audit event on the syscall "open" will also cause the kernel to
       emit a PATH record with  the  file  name.  The  ausearch  utility  will
       present  all  records  that make up one event together. This could mean
       that even though you search for a specific kind of record, the  result-
       ing events may contain SYSCALL records.

       Also be aware that not all record types have the requested information.
       For example, a PATH record does not have a hostname or a loginuid.



OPTIONS

       -a <audit event id>
              Search for an event based on the given event ID. Messages always
              start with something like msg=audit(1116360555.329:2401771). The
              event ID is the number after the ’:’. All audit events that  are
              recorded  from  one  application’s  syscall  have the same audit
              event ID. A second syscall made by  the  same  application  will
              have a different event ID. This way they are unique.

       -c <comm name>
              Search  for an event based on the given comm name. The comm name
              is the executable’s name from the task structure.

       -f <file name>
              Search for an event based on the given filename.

       -ga <all group id>
              Search for an event with either effective group ID or  group  ID
              matching the given group ID.

       -ge <effective group id>
              Search  for  an event with the given effective group ID or group
              name.

       -gi <group id>
              Search for an event with the given group ID or group name.

       -h     Help

       -hn <host name>
              Search for an event with the given host name. The  hostname  can
              be either a hostname, fully qualified domain name, or numeric IP
              address. No attempt is made  to  resolve  numeric  addresses  to
              domain names or aliases.

       -i     Interpret  numeric  entities into text. For example, uid is con-
              verted to account name. The conversion is done using the current
              resources  of  the machine where the search is being run. If you
              have renamed the accounts, or don’t have the  same  accounts  on
              your machine, you could get misleading results.

       -if <file name>
              Use  the given file instead if the logs. This is to aid analysis
              where the logs have been moved to another machine or  only  part
              of a log was saved.

       -m <message type> | <comma sep message type list>
              Search  for  an  event  matching the given message type. You may
              also enter a comma separated list of message types. There is  an
              ALL  message  type  that  doesn’t  exist  in the actual logs. It
              allows you to get all messages in the system. The list of  valid
              messages  types is long. The program will display the list when-
              ever no message type is passed with this parameter. The  message
              type  can  be either text or numeric. If you enter a list, there
              can be only commas and no spaces separating the list.

       -o <SE Linux context string>
              Search for event with tcontext (object) matching the string.

       -p <process id>
              Search for an event matching the given process ID.

       -sc <syscall name or value>
              Search for an event matching the given syscall. You  may  either
              give  the numeric syscall value or the syscall name. If you give
              the syscall name, it will use the syscall table for the  machine
              that you are using.

       -se <SE Linux context string>
              Search for event with either scontext/subject or tcontext/object
              matching the string.

       -su <SE Linux context string>
              Search for event with scontext (subject) matching the string.

       -sv <success value>
              Search for an event matching the given success value. Legal val-
              ues are yes and no.

       -te [end date] [end time]
              Search  for events with time stamps equal to or before the given
              end time. The format of end time depends on your locale. If  the
              date  is  omitted, today is assumed. If the time is omitted, now
              is assumed. Use 24 hour clock time rather than AM or PM to spec-
              ify  time.  An  example  date is 10/24/05. An example of time is
              18:00:00.

       -ts [start date] [start time]
              Search for events with time stamps equal to or after  the  given
              end  time. The format of end time depends on your locale. If the
              date is omitted, today is assumed. If the time is omitted,  mid-
              night is assumed. Use 24 hour clock time rather than AM or PM to
              specify time. An example date is 10/24/05. An example of time is
              18:00:00.

       -tm <terminal>
              Search for an event matching the given terminal value. Some dae-
              mons such as cron and atd use the daemon name for the  terminal.

       -ua <all user id>
              Search  for  an event with either user ID, effective user ID, or
              login user ID (auid) matching the given user ID.

       -ue <effective user id>
              Search for an event with the given effective user ID.

       -ui <user id>
              Search for an event with the given user ID.

       -ul <login id>
              Search for an event with the given  login  user  ID.  All  entry
              point  programs  that  are  pamified  need to be configured with
              pam_loginuid required for the session for searching on  loginuid
              (auid) to be accurate.

       -v     Print the version and exit

       -w     String based matches must match the whole word. This category of
              matches include: filename, hostname, terminal, and SE Linux con-
              text.

       -x <executable>
              Search for an event matching the given executable name.


SEE ALSO

       auditd(8), pam_loginuid(8)



Red Hat                            Oct 2005                       AUSEARCH:(8)

Man(1) output converted with man2html