aureport

Display a summary of auditd events

$ sudo aureport

$ sudo aureport [[-l|--login]]

$ sudo aureport [[-s|--syscall]]

$ sudo aureport [[-x|--executable]]

$ sudo aureport [[-ts|--start]] [start_time] [[-te|--end]] [end_time]

$ sudo aureport [[-t|--log-time]]

$ aureport --help

aureport [options]

-u, --users
    Reports on user activity, showing counts of events per user.

-s, --success
    Filters the report to include only successful events.

-f, --file
    Generates a report focused on file and directory access events.

-l, --login
    Provides a summary of user login and logout events.

-h, --host
    Reports on events originating from different hosts.

-x, --executable
    Summarizes events related to executable programs being run.

-e, --event
    Reports on the types of audit events recorded.

-m, --mods
    Displays a summary of system modification events.

-A, --auth
    Reports on authentication-related events.

--start
    Filters events to include those occurring on or after the specified timestamp.

--end
    Filters events to include those occurring on or before the specified timestamp.

-i, --interpret
    Interprets numeric entities (like UIDs, GIDs, SIDs) into human-readable names.

--input
    Reads audit log data from the specified file instead of the default location.

-F, --format
    Specifies the output format for the report (default is plain text).

--summary-users
    Provides a condensed summary of user activity.

--summary-failures
    Gives a summary of all audit failures.

aureport is a powerful command-line utility for generating summaries and reports from the Linux Auditing System logs. It processes the raw audit records, typically found in /var/log/audit/audit.log, and presents them in a human-readable, aggregated format. This tool is indispensable for system administrators and security professionals to gain insights into system activity, detect security breaches, monitor user behavior, and ensure compliance with security policies. aureport can summarize various aspects of system events, including user logins, file access, privilege escalations, successful and failed authentication attempts, and command executions. Its diverse reporting capabilities allow for quick analysis of audit trails without needing to parse the raw log files manually, making audit log analysis more efficient and actionable.

aureport relies on the Linux Auditing System (auditd) to be properly configured and running to collect audit events.
Performance can be significantly impacted when processing very large audit logs, especially when using the -i (--interpret) option due to numerous lookups.
The accuracy and detail of reports are directly dependent on the audit rules defined by auditctl or augenrules.
Default log file location is usually /var/log/audit/audit.log, but this can vary based on auditd.conf.

Beyond basic time ranges, aureport supports filtering by success/failure, specific event types, and allows for highly granular analysis of audit trails to pinpoint critical security incidents or compliance deviations.

While its primary output is human-readable text, the command offers options to output data in XML or JSON formats, facilitating integration with other log analysis tools, security information and event management (SIEM) systems, or custom scripts for automated processing.

aureport is an integral part of the Linux Audit Framework, primarily developed by Red Hat. It emerged as a crucial tool alongside auditd, auditctl, and ausearch to provide comprehensive security auditing capabilities for Linux systems. Its development has focused on enhancing the ability of administrators to quickly understand and report on system events for security monitoring, compliance (such as PCI DSS, HIPAA, SOX), and forensic analysis, continuously evolving to meet the demands of modern system security.

auditd(8), auditctl(8), ausearch(8), augenrules(8)