ausearch

AUSEARCH:(8)             System Administration Utilities            AUSEARCH:(8)



NAME
       ausearch - a tool to query audit daemon logs

SYNOPSIS
       ausearch [options]

DESCRIPTION
       ausearch is a tool that can query the audit daemon logs based for events
       based on different search criteria. The ausearch utility can also take
       input from stdin as long as the input is the raw log data. Each
       commandline option given forms an "and" statement. For example, searching
       with -m and -ui means return events that have both the requested type and
       match the user id given. An exception is the -m  and -n options; multiple
       record types and nodes are allowed in a search which will return any
       matching node and record.

       It should also be noted that each syscall excursion from user space into
       the kernel and back into user space has one event ID that is unique. Any
       auditable event that is triggered during this trip share this ID so that
       they may be correlated.

       Different parts of the kernel may add supplemental records. For example,
       an audit event on the syscall "open" will also cause the kernel to emit a
       PATH record with the file name. The ausearch utility will present all
       records that make up one event together. This could mean that even though
       you search for a specific kind of record, the resulting events may
       contain SYSCALL records.

       Also be aware that not all record types have the requested information.
       For example, a PATH record does not have a hostname or a loginuid.


OPTIONS
       -a, --event audit-event-id
              Search for an event based on the given event ID. Messages always
              start with something like msg=audit(1116360555.329:2401771). The
              event ID is the number after the ':'. All audit events that are
              recorded from one application's syscall have the same audit event
              ID. A second syscall made by the same application will have a
              different event ID. This way they are unique.

       --arch CPU
              Search for events based on a specific CPU architecture.  If you do
              not know the arch of your machine but you want to use the 32 bit
              syscall table and your machine supports 32 bits, you can also use
              b32 for the arch. The same applies to the 64 bit syscall table,
              you can use b64.  The arch of your machine can be found by doing
              'uname -m'.

       -c, --comm comm-name
              Search for an event based on the given comm name. The comm name is
              the executable's name from the task structure.

       --debug
              Write malformed events that are skipped to stderr.

       --checkpoint checkpoint-file
              Checkpoint the output between successive invocations of ausearch
              such that only events not previously output will print in
              subsequent invocations.

              An auditd event is made up of one or more records. When processing
              events, ausearch defines events as either complete or in-complete.
              A complete event is either a single record event or one whose
              event time occurred 2 seconds in the past compared to the event
              being currently processed.

              A checkpoint is achieved by recording the last completed event
              output along with the device number and inode of the file the last
              completed event appeared in checkpoint-file. On a subsequent
              invocation, ausearch will load this checkpoint data and as it
              processes the log files, it will discard all complete events until
              it matches the checkpointed one. At this point, it will start
              outputting complete events.

              Should the file or the last checkpointed event not be found, one
              of a number of errors will result and ausearch will terminate. See
              EXIT STATUS for detail.


       --eoe-timeout seconds
              Set the end of event parsing timeout. See end_of_event_timeout in
              auditd.conf(5) for details. Note that setting this value will
              overide any configured value found in /etc/auditd/auditd.conf.

       -e, --exit exit-code-or-errno
              Search for an event based on the given syscall exit code or errno.

       --escape option
              This option determines if the output is escaped to make the
              content safer for certain uses. The options are raw , tty , shell
              , and shell_quote. Each mode includes the characters of the
              preceding mode and escapes more characters. That is to say shell
              includes all characters escaped by tty and adds more. tty is the
              default.

       --extra-keys
              When the format mode is csv, this option will add a final column
              with key information if its exists for the event. This would only
              occur on SYSCALL records which were the result of triggering an
              audit rule that defines a key.

       --extra-labels
              When the format mode is csv, this option will add columns of
              information about subject and object labels when they exist.

       --extra-obj2
              When the format mode is csv, this option will add columns of
              information about a second object when it exists. It's rare that a
              second object is part of a record. Some examples are when a file
              is renamed from one name to another or when a device is mounted to
              a path.

       --extra-time
              When the format mode is csv, this option will add columns of
              information about broken down time to make subsetting easier.

       -f, --file file-name
              Search for an event based on the given filename. The argument will
              match normal files as well as af_unix sockets.

       --format option
              Events that match the search criteria are formatted using this
              option. The supported formats are: raw, default, interpret, csv,
              and text. The raw option is described under the --raw command line
              option. The default option is what you get when no formatting
              options are passed. It includes one line as a visual separator
              which indicates the time stamp and then the records of the event
              follow. The interpret option is explained under the -i command
              line option. The csv option outputs the results of the search as a
              normalized event in comma separated value (CSV) format suitable
              for import into analytical programs. The text option turns the
              event into an English sentence that is easier to understand than
              other options, but it comes at the expense of loss of detail. In
              most cases this is perfectly fine since the original event still
              retains all the original information.

       -ga, --gid-all all-group-id
              Search for an event with either effective group ID or group ID
              matching the given group ID.

       -ge, --gid-effective effective-group-id
              Search for an event with the given effective group ID or group
              name.

       -gi, --gid group-id
              Search for an event with the given group ID or group name.

       -h, --help
              Help

       -hn, --host host-name
              Search for an event with the given host name. The hostname can be
              either a hostname, fully qualified domain name, or numeric network
              address. No attempt is made to resolve numeric addresses to domain
              names or aliases. This search typically correlates to the addr or
              host field of audit events. Also see the --node command which
              searches the node field.

       -i, --interpret
              Interpret numeric entities into text. For example, uid is
              converted to account name. If the audit logs are unenriched, the
              conversion is done using the current resources of the machine
              where the search is being run. If you have renamed the accounts,
              or don't have the same accounts on your machine, you could get
              misleading results. If the logs are enriched, it uses the
              supplemental data to do the conversion. This allows accurate log
              reporting even when run on a different machine than the original
              logs came from.

       -if, --input file-name | directory
              Use the given file or directory instead of the logs. This is to
              aid analysis where the logs have been moved to another machine or
              only part of a log was saved.

       --input-logs
              Use the log file location from auditd.conf as input for searching.
              This is needed if you are using ausearch from a cron job.

       --just-one
              Stop after emitting the first event that matches the search
              criteria.

       -k, --key key-string
              Search for an event based on the given key string.

       -l, --line-buffered
              Flush output on every line. Most useful when stdout is connected
              to a pipe and the default block buffering strategy is undesirable.
              May impose a performance penalty.

       -m, --message message-type | comma-sep-message-type-list
              Search for an event matching the given message type. (Message
              types are also known as record types.) You may also enter a comma
              separated list of message types or multiple individual message
              types each with its own -m option. There is an ALL message type
              that doesn't exist in the actual logs. It allows you to get all
              messages in the system. The list of valid messages types is long.
              The program will display the list whenever no message type is
              passed with this parameter. The message type can be either text or
              numeric. If you enter a list, there can be only commas and no
              spaces separating the list.

       -n, --node
              Search for events originating from a specific machine. Multiple
              nodes are allowed, and if any nodes match, the event is matched.
              This search uses the node field in audit events. Also see the
              --host command which search for events related to host information
              in the audit trail.

       -o, --object SE-Linux-context-string
              Search for event with tcontext (object) matching the string.

       -p, --pid process-id
              Search for an event matching the given process ID.

       -pp, --ppid parent-process-id
              Search for an event matching the given parent process ID.

       -r, --raw
              Output is completely unformatted. This is useful for extracting
              records to a file that can still be interpreted by audit tools or
              when piping to other audit tools.

       -sc, --syscall syscall-name-or-value
              Search for an event matching the given syscall. You may either
              give the numeric syscall value or the syscall name. If you give
              the syscall name, it will use the syscall table for the machine
              that you are using.

       -se, --context SE-Linux-context-string
              Search for event with either scontext/subject or tcontext/object
              matching the string.

       --session Login-Session-ID
              Search for events matching the given Login Session ID. This
              process attribute is set when a user logs in and can tie any
              process to a particular user login.

       -su, --subject SE-Linux-context-string
              Search for event with scontext (subject) matching the string.

       -sv, --success success-value
              Search for an event matching the given success value. Legal values
              are yes and no.

       -te, --end [end-date] [end-time]
              Search for events with time stamps equal to or before the given
              end time. The format of end time depends on your locale. You can
              check the format of your locale by running date '+%x'.  If the
              date is omitted, today is assumed. If the time is omitted, now is
              assumed. Use 24 hour clock time rather than AM or PM to specify
              time. An example date using the en_US.utf8 locale is 09/03/2009.
              An example of time is 18:00:00. The date format accepted is
              influenced by the LC_TIME environmental variable.

              You may also use the word: now, recent, boot, today, yesterday,
              this-week, week-ago, this-month, or this-year. Now means starting
              now. Recent is 10 minutes ago. Boot means the time of day to the
              second when the system last booted. Today means now. Yesterday is
              1 second after midnight the previous day. This-week means starting
              1 second after midnight on day 0 of the week determined by your
              locale (see localtime). Week-ago means 1 second after midnight
              exactly 7 days ago. This-month means 1 second after midnight on
              day 1 of the month. This-year means the 1 second after midnight on
              the first day of the first month.

       -ts, --start [start-date] [start-time]
              Search for events with time stamps equal to or after the given
              start time. The format of start time depends on your locale. You
              can check the format of your locale by running date '+%x'.  If the
              date is omitted, today is assumed. If the time is omitted,
              midnight is assumed. Use 24 hour clock time rather than AM or PM
              to specify time. An example date using the en_US.utf8 locale is
              09/03/2009. An example of time is 18:00:00. The date format
              accepted is influenced by the LC_TIME environmental variable.

              You may also use the word: now, recent, boot, today, yesterday,
              this-week, week-ago, this-month, this-year, or checkpoint. Boot
              means the time of day to the second when the system last booted.
              Today means starting at 1 second after midnight. Recent is 10
              minutes ago. Yesterday is 1 second after midnight the previous
              day. This-week means starting 1 second after midnight on day 0 of
              the week determined by your locale (see localtime). Week-ago means
              starting 1 second after midnight exactly 7 days ago. This-month
              means 1 second after midnight on day 1 of the month. This-year
              means the 1 second after midnight on the first day of the first
              month.

              checkpoint means ausearch will use the timestamp found within a
              valid checkpoint file ignoring the recorded inode, device, serial,
              node and event type also found within a checkpoint file.
              Essentially, this is the recovery action should an invocation of
              ausearch with a checkpoint option fail with an exit status of 10,
              11 or 12. It could be used in a shell script something like:

                   ausearch --checkpoint /etc/audit/auditd_checkpoint.txt -i
                   _au_status=$?
                   if test ${_au_status} eq 10 -o ${_au_status} eq 11 -o ${_au_status} eq 12
                   then
                     ausearch --checkpoint /etc/audit/auditd_checkpoint.txt --start checkpoint -i
                   fi

       -tm, --terminal terminal
              Search for an event matching the given terminal value. Some
              daemons such as cron and atd use the daemon name for the terminal.

       -ua, --uid-all all-user-id
              Search for an event with either user ID, effective user ID, or
              login user ID (auid) matching the given user ID.

       -ue, --uid-effective effective-user-id
              Search for an event with the given effective user ID.

       -ui, --uid user-id
              Search for an event with the given user ID.

       -ul, --loginuid login-id
              Search for an event with the given login user ID. All entry point
              programs that are pamified need to be configured with pam_loginuid
              required for the session for searching on loginuid (auid) to be
              accurate.

       -uu, --uuid guest-uuid
              Search for an event with the given guest UUID.

       -v, --version
              Print the version and exit

       -vm, --vm-name guest-name
              Search for an event with the given guest name.

       -w, --word
              String based matches must match the whole word. This category of
              matches include: filename, hostname, terminal, keys, and SE Linux
              context.

       -x, --executable executable
              Search for an event matching the given executable name.


EXIT STATUS
       0    if OK,

       1    if nothing found, or argument errors or minor file acces/read
            errors,

       10   invalid checkpoint data found in checkpoint file,

       11   checkpoint processing error

       12   checkpoint event not found in matching log file

NOTE
       The boot time option is a convenience function and has limitations. The
       time it calculates is based on time now minus /proc/uptime. If after boot
       the system clock has been adjusted, perhaps by ntp, then the calculation
       may be wrong. In that case you'll need to fully specify the time. You can
       check the time it would use by running:

       date -d "`cut -f1 -d. /proc/uptime` seconds ago"


SEE ALSO
       auditd(8), auditd.conf(5), pam_loginuid(8).



Red Hat                            March 2017                       AUSEARCH:(8)