Auditd : Display Logs with aureport
2016/07/26 |
It's possible to display Audit logs summarily with aureport command which is included in Audit package.
|
|
[1] | This is how to use aureport command. |
# display whole summary without arguments [root@dlp ~]# aureport Summary Report ====================== Range of time in logs: 08/08/2015 02:09:42.093 - 02/25/2016 17:01:01.950 Selected time for report: 08/08/2015 02:09:42 - 02/25/2016 17:01:01.950 Number of changes in configuration: 299 Number of changes to accounts, groups, or roles: 18 Number of logins: 18 Number of failed logins: 3 Number of authentications: 30 Number of failed authentications: 3 Number of users: 3 Number of terminals: 7 Number of host names: 3 Number of executables: 15 Number of commands: 41 Number of files: 0 Number of AVC's: 0 Number of MAC events: 2 Number of failed syscalls: 0 Number of anomaly events: 2 Number of responses to anomaly events: 0 Number of crypto events: 74 Number of integrity events: 0 Number of virt events: 0 Number of keys: 0 Number of process IDs: 407 Number of events: 1955 # display kind of authentication logs [root@dlp ~]# aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 08/08/2015 02:09:52 root ? ttyS0 /usr/bin/login yes 332 2. 08/08/2015 02:20:27 root ? ttyS0 /usr/bin/login yes 34 3. 08/17/2015 10:40:03 root ? ttyS0 /usr/bin/login yes 33 ..... ..... 20. 02/23/2016 11:09:46 cent 10.0.0.20 ssh /usr/sbin/sshd yes 118 21. 02/23/2016 11:13:26 cent ? ttyS0 /usr/bin/login no 147 # display kind of failure authentication logs [root@dlp ~]# aureport -au --failed --summary Failed Authentication Summary Report ============================= total acct ============================= 1 root 1 cent # display kind of modification of user accounts logs [root@dlp ~]# aureport -m -i Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 08/08/2015 02:10:21 root ? ttyS0 /usr/sbin/useradd cent no 342 2. 08/08/2015 02:19:25 root ? ? /usr/sbin/groupadd ? yes 370 3. 08/08/2015 02:19:26 root ? ? /usr/sbin/groupadd ? yes 371 ..... ..... 17. 02/08/2016 11:12:41 root ? ? /usr/sbin/groupadd ntp no 45 18. 02/08/2016 11:12:41 root ? ? /usr/sbin/useradd ntp no 46 # display kind of modification of user accounts logs since this month [root@dlp ~]# aureport -m -i --start this-month Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 02/08/2016 11:12:41 root ? ? /usr/sbin/groupadd ntp no 45 2. 02/08/2016 11:12:41 root ? ? /usr/sbin/useradd ntp no 46 # display kind of executing logs [root@dlp ~]# aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 08/08/2015 02:09:42 /usr/lib/systemd/systemd ? ? unset 6 2. 08/08/2015 02:09:42 /usr/lib/systemd/systemd-update-utmp ? ? unset 7 3. 08/08/2015 02:09:42 /usr/lib/systemd/systemd ? ? unset 8 ..... ..... 1422. 02/23/2016 17:01:01 /usr/sbin/crond cron ? root 211 1423. 02/23/2016 17:01:01 /usr/sbin/crond cron ? root 212 # display kind of executing logs from 2016/2/7 to 2016/2/21 [root@dlp ~]# aureport -x -i --start 02/07/2016 --end 02/21/2016 Executable Report ==================================== # date time exe term host auid event ==================================== 1. 02/08/2016 11:11:47 /usr/lib/systemd/systemd ? ? unset 5 2. 02/08/2016 11:11:47 /usr/lib/systemd/systemd-update-utmp ? ? unset 6 3. 02/08/2016 11:11:47 /usr/lib/systemd/systemd ? ? unset 7 ..... ..... 87. 02/08/2016 11:14:08 /usr/lib/systemd/systemd ? ? unset 92 88. 02/08/2016 11:14:08 /usr/lib/systemd/systemd ? ? unset 93 |
[3] | Search and Display logs with ausearch and aureport like follows. |
# search and display authentication logs on dlp.srv.world [root@dlp ~]# ausearch --node dlp.srv.world | aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 02/25/2016 16:55:35 cent ? ttyS0 /usr/bin/su yes 103 2. 02/25/2016 16:55:44 cent ? /dev/ttyS0 /usr/bin/sudo yes 107 3. 02/26/2016 09:21:35 root ? ttyS0 /usr/bin/login yes 38 4. 02/26/2016 09:50:32 root ? ttyS0 /usr/bin/login yes 38 # search and display executing logs by UserID 1000 [root@dlp ~]# ausearch -ui 1000 | aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 02/23/2016 09:52:23 /usr/bin/sudo /dev/ttyS0 ? cent 49 2. 02/23/2016 09:52:23 /usr/bin/sudo /dev/ttyS0 ? cent 50 3. 02/23/2016 09:55:06 /usr/bin/su ttyS0 ? cent 80 ..... ..... 15. 02/26/2016 09:48:50 /usr/bin/sudo /dev/ttyS0 ? cent 52 |