aureport

Generate summary reports from audit logs

TLDR

Show summary of events

$ sudo aureport

Report on logins

$ sudo aureport -l

Report on syscalls

$ sudo aureport -s

Report on executables

$ sudo aureport -x

Report for time range

$ sudo aureport -ts start_time -te end_time

List audit files and time range

$ sudo aureport -t

SYNOPSIS

aureport [OPTIONS]

DESCRIPTION

aureport generates summary reports from the Linux audit logs. It provides overviews of various event types including logins, authentication, files, syscalls, and anomalies.

PARAMETERS

-l, --login

Report on login events

-s, --syscall

Report on syscall events

-x, --executable

Report on executable events

-f, --file

Report on file events

-u, --user

Report on user events

-ts, --start time

Start time for report

-te, --end time

End time for report

-t, --log-time

List audit files and their time ranges

--summary

Include summary statistics

-i, --interpret

Interpret numeric values to names

CONFIGURATION

/etc/audit/auditd.conf

Main audit daemon configuration, controls log file location, size, and rotation.

/etc/audit/audit.rules

Defines which events the audit system logs. Determines what data is available for reporting.

CAVEATS

Requires root privileges. Reports are generated from available audit logs, so completeness depends on what has been logged. Use time filters for large log files.

HISTORY

aureport is part of the audit package, providing reporting capabilities for the Linux Audit Framework.