aureport
Generate summary reports from audit logs
TLDR
Show summary of events
$ sudo aureport
Report on logins$ sudo aureport -l
Report on syscalls$ sudo aureport -s
Report on executables$ sudo aureport -x
Report for time range$ sudo aureport -ts start_time -te end_time
List audit files and time range$ sudo aureport -t
SYNOPSIS
aureport [OPTIONS]
DESCRIPTION
aureport generates summary reports from the Linux audit logs. It provides overviews of various event types including logins, authentication, files, syscalls, and anomalies.
PARAMETERS
-l, --login
Report on login events-s, --syscall
Report on syscall events-x, --executable
Report on executable events-f, --file
Report on file events-u, --user
Report on user events-ts, --start time
Start time for report-te, --end time
End time for report-t, --log-time
List audit files and their time ranges--summary
Include summary statistics-i, --interpret
Interpret numeric values to names
CONFIGURATION
/etc/audit/auditd.conf
Main audit daemon configuration, controls log file location, size, and rotation./etc/audit/audit.rules
Defines which events the audit system logs. Determines what data is available for reporting.
CAVEATS
Requires root privileges. Reports are generated from available audit logs, so completeness depends on what has been logged. Use time filters for large log files.
HISTORY
aureport is part of the audit package, providing reporting capabilities for the Linux Audit Framework.
