ausearch
AUSEARCH:(8) System Administration Utilities AUSEARCH:(8)
NAME
ausearch - a tool to query audit daemon logs
SYNOPSIS
ausearch [ options ]
DESCRIPTION
ausearch is a tool that can query the audit daemon logs based for
events based on different search criteria. Each commandline option
given forms an "and" statement. For example, searching with -m and -ui
means return events that have both the requested type and match the
user id given.
It should also be noted that each syscall excursion from user space
into the kernel and back into user space has one event ID that is
unique. Any auditable event that is triggered during this trip share
this ID so that they may be correlated.
Different parts of the kernel may add supplemental records. For exam-
ple, an audit event on the syscall "open" will also cause the kernel to
emit a PATH record with the file name. The ausearch utility will
present all records that make up one event together. This could mean
that even though you search for a specific kind of record, the result-
ing events may contain SYSCALL records.
Also be aware that not all record types have the requested information.
For example, a PATH record does not have a hostname or a loginuid.
OPTIONS
-a <audit event id>
Search for an event based on the given event ID. Messages always
start with something like msg=audit(1116360555.329:2401771). The
event ID is the number after the ’:’. All audit events that are
recorded from one application’s syscall have the same audit
event ID. A second syscall made by the same application will
have a different event ID. This way they are unique.
-c <comm name>
Search for an event based on the given comm name. The comm name
is the executable’s name from the task structure.
-f <file name>
Search for an event based on the given filename.
-ga <all group id>
Search for an event with either effective group ID or group ID
matching the given group ID.
-ge <effective group id>
Search for an event with the given effective group ID or group
name.
-gi <group id>
Search for an event with the given group ID or group name.
-h Help
-hn <host name>
Search for an event with the given host name. The hostname can
be either a hostname, fully qualified domain name, or numeric IP
address. No attempt is made to resolve numeric addresses to
domain names or aliases.
-i Interpret numeric entities into text. For example, uid is con-
verted to account name. The conversion is done using the current
resources of the machine where the search is being run. If you
have renamed the accounts, or don’t have the same accounts on
your machine, you could get misleading results.
-if <file name>
Use the given file instead if the logs. This is to aid analysis
where the logs have been moved to another machine or only part
of a log was saved.
-m <message type> | <comma sep message type list>
Search for an event matching the given message type. You may
also enter a comma separated list of message types. There is an
ALL message type that doesn’t exist in the actual logs. It
allows you to get all messages in the system. The list of valid
messages types is long. The program will display the list when-
ever no message type is passed with this parameter. The message
type can be either text or numeric. If you enter a list, there
can be only commas and no spaces separating the list.
-o <SE Linux context string>
Search for event with tcontext (object) matching the string.
-p <process id>
Search for an event matching the given process ID.
-sc <syscall name or value>
Search for an event matching the given syscall. You may either
give the numeric syscall value or the syscall name. If you give
the syscall name, it will use the syscall table for the machine
that you are using.
-se <SE Linux context string>
Search for event with either scontext/subject or tcontext/object
matching the string.
-su <SE Linux context string>
Search for event with scontext (subject) matching the string.
-sv <success value>
Search for an event matching the given success value. Legal val-
ues are yes and no.
-te [end date] [end time]
Search for events with time stamps equal to or before the given
end time. The format of end time depends on your locale. If the
date is omitted, today is assumed. If the time is omitted, now
is assumed. Use 24 hour clock time rather than AM or PM to spec-
ify time. An example date is 10/24/05. An example of time is
18:00:00.
-ts [start date] [start time]
Search for events with time stamps equal to or after the given
end time. The format of end time depends on your locale. If the
date is omitted, today is assumed. If the time is omitted, mid-
night is assumed. Use 24 hour clock time rather than AM or PM to
specify time. An example date is 10/24/05. An example of time is
18:00:00.
-tm <terminal>
Search for an event matching the given terminal value. Some dae-
mons such as cron and atd use the daemon name for the terminal.
-ua <all user id>
Search for an event with either user ID, effective user ID, or
login user ID (auid) matching the given user ID.
-ue <effective user id>
Search for an event with the given effective user ID.
-ui <user id>
Search for an event with the given user ID.
-ul <login id>
Search for an event with the given login user ID. All entry
point programs that are pamified need to be configured with
pam_loginuid required for the session for searching on loginuid
(auid) to be accurate.
-v Print the version and exit
-w String based matches must match the whole word. This category of
matches include: filename, hostname, terminal, and SE Linux con-
text.
-x <executable>
Search for an event matching the given executable name.
SEE ALSO
auditd(8), pam_loginuid(8)
Red Hat Oct 2005 AUSEARCH:(8)
Man(1) output converted with
man2html