ausearch

ausearch [options]

-i, --interpret
    Interpret numeric entities into human-readable text. For example, UIDs are resolved to usernames, GIDs to group names, syscall numbers to their names, and so on. This is highly recommended for readability.

-f, --file file
    Search for events that accessed a specific file or directory.

-k, --key key
    Search for events containing a specific audit key tag. Keys are often used to group related audit rules and their generated events.

-m, --message message
    Search for events of a specific message type (e.g., CWD, SYSCALL, USER_LOGIN, PATH). Can be specified multiple times.

-sv, --success success
    Search for events based on their success or failure status. Values are 'yes' or 'no'.

-ua, --uid-all account
    Search for any user ID (UID, AUID, LOGINUID) matching the specified account name or ID.

-ul, --loginuid loginid
    Search for events with a specific loginuid, which identifies the login session origin.

-ts, --start timestamp
    Search for events occurring on or after the specified timestamp. Format can be 'now', 'yesterday', 'this-week', 'this-month', 'this-year', or a specific date/time string (e.g., '10/25/2023 14:30:00').

-te, --end timestamp
    Search for events occurring on or before the specified timestamp. Similar formats as --start.

--input file
    Read audit logs from a specified file instead of the default location. Can be used multiple times.

--input-format format
    Specify the input file format, typically 'raw' (default) or 'text'.

--just-one
    Stop searching after the first match is found. Useful for performance when you only need to confirm existence.

-x, --syscall syscall
    Search for events related to a specific syscall number or name. Can be specified multiple times.

The ausearch command is a utility for querying and filtering the audit daemon's log files. It's an integral part of the Linux Audit Framework, designed to help administrators and security professionals analyze security-relevant events that have occurred on a system.

It can search for specific audit events based on various criteria, such as time ranges, event IDs, user IDs, groups, syscalls, messages, and more. Unlike simply `grep`ing the log files, ausearch understands the structured nature of audit records, allowing for more precise and context-aware searches.

The command processes raw audit logs, typically located in /var/log/audit/audit.log (or specified input files), and outputs matching events in a human-readable format. This capability makes it invaluable for incident response, compliance auditing, and general security monitoring, providing insights into system activities like user logins, file access, privilege escalations, and network connections.

When searching large audit log files, ausearch can be resource-intensive, especially without specific time or ID filters. Performance can degrade if searching for broad patterns across many gigabytes of logs.

Understanding the various fields in audit records (e.g., UID, AUID, LOGINUID, SUID, FSUID) is crucial for accurate searches, as misinterpreting them can lead to incomplete or incorrect results. The -i option, while very helpful for interpretation, can also add overhead.

Time zone considerations are important; audit logs are typically stored in UTC, and ausearch will interpret timestamps based on the system's current time zone unless explicitly handled.

By default, ausearch processes logs from /var/log/audit/audit.log and other rotated logs in that directory. If audit logs are archived or moved, the --input option must be used to specify their new location.

To read audit logs, ausearch typically requires root privileges or membership in a group that has read access to the audit log files (e.g., the 'audit' group on some systems).

Multiple search criteria can be combined in a single ausearch command. By default, these criteria are joined with a logical AND, meaning all specified conditions must be met for an event to be returned.

The Linux Audit Framework, including ausearch, was developed to provide robust CAPP (Controlled Access Protection Profile) compliance auditing capabilities for the Linux kernel. It gained significant traction and widespread adoption starting with the 2.6 kernel series, becoming a standard component in major Linux distributions like Red Hat Enterprise Linux, CentOS, and Fedora.

ausearch has evolved alongside the audit system itself, with ongoing improvements to filtering capabilities, performance, and interpretation options, making it an indispensable tool for system security and compliance.

auditctl(8), aureport(8), auditd(8), audispd(8)