aureport

Display a summary of auditd events

$ sudo aureport

$ sudo aureport [[-l|--login]]

$ sudo aureport [[-s|--syscall]]

$ sudo aureport [[-x|--executable]]

$ sudo aureport [[-ts|--start]] [start_time] [[-te|--end]] [end_time]

$ sudo aureport [[-t|--log-time]]

$ aureport --help

aureport [options] [start-time [end-time]]

-a, --auth
    Authentication event reports (logins, sudo, etc.)

-A, --assoc
    User/group association reports

-b, --start[=START]
    Events from START time (e.g., 'today', 'yyyy/mm/dd HH:MM:SS')

-c, --config
    Configuration change reports

-e, --event[=ID]
    Events matching specific event ID

-f, --failure
    Only failed events

-F, --file[=PATH]
    Events for specific file PATH

-h, --help
    Display help

-i, --interpret
    Resolve numeric IDs to names

-k, --key[=KEY]
    Events with audit key matching KEY

-l, --login
    Login/logout event reports

-L, --limit[=COUNT]
    Limit output to COUNT lines

-o, --lost
    Lost record summary

-p, --pid[=PID]
    Events for specific PID

-r, --relabel
    File relabeling reports

-s, --summary[=TYPES]
    Summary report (optionally filter TYPES)

-t, --type=TYPE
    Events of specific TYPE (e.g., USER_AUTH)

-u, --user[=UID]
    Events for specific user UID

-x, --exec
    Execve (command execution) reports

-z, --hostname
    Group output by hostname

aureport is a command-line tool from the Linux Audit system that analyzes and generates human-readable reports from /var/log/audit/audit.log files. It processes audit records produced by the kernel's audit subsystem (via auditd) to summarize security-relevant events such as logins, file accesses, configuration changes, SELinux AVC denials, and more.

It supports filtering by time range, user, PID, event type, or keywords, making it invaluable for security auditing, compliance reporting (e.g., PCI-DSS, HIPAA), and incident investigation. Reports can be summary-style (totals and counts) or detailed listings, with options to interpret numeric IDs into names (users, groups, etc.).

Output includes columns like time, event ID, success/failure, and details specific to the report type (e.g., username for auth reports). It's non-interactive, efficient for log volumes, and integrates with tools like ausearch for deeper queries. Requires read access to audit logs (typically root or audit group).

Common use cases: daily security summaries (aureport -s), failed login analysis (aureport -a -f), or time-bound reports (aureport --start today).

Requires auditd logs; root or 'audit_read' group access needed. Large logs may be slow without filters. Time formats are strict (e.g., 'MM/DD/YY HH:MM:SS'). No real-time monitoring.

aureport --summary: Daily summary.
aureport -a --start yesterday: Failed auth yesterday.
aureport -l -i: Interpreted login report.

Columns: time (event time), evt (event ID), success (yes/no), followed by type-specific fields. Use --csv for scripting (newer versions).

Developed as part of Linux Audit Framework (2004+), primarily by Steve Grubb (Red Hat). Initial release in audit-tools ~1.2 (2006); evolved with SELinux integration and systemd journal support in audit 2.4+ (2014). Widely used in RHEL/CentOS/Fedora.

ausearch(8), auditd(8), audispd(8), aureport(8)