ausearch

ausearch [options]

-a, --event
    Search for a specific event ID.

-au, --uid
    Search for events related to a specific user ID.

-c, --comm
    Search for events related to a specific command name.

-e, --exit
    Search for events with a specific exit code.

-f, --file
    Search for events related to a specific file path.

-ga, --gid
    Search for events related to a specific group ID.

-h, --help
    Display help message and exit.

-i, --interpret
    Interpret numeric IDs into text.

-j, --just-one
    Stop after finding the first match.

-k, --key
    Search for events related to a specific audit key.

-l, --loginuid
    Search for events related to a specific login user ID.

-m, --message
    Search for events of a specific message type (e.g., SYSCALL).

-n, --node
    Search for events from a specific node name. Primarily useful for multi-node setups.

-o, --object
    Search for events associated with a specific object name. Often a file or directory.

-p, --pid
    Search for events related to a specific process ID.

-r, --raw
    Output the raw audit record without interpretation.

-sc, --syscall
    Search for events related to a specific syscall.

-se, --session
    Search for events related to a specific session ID.

-sv, --success
    Search for events based on success/failure (yes or no).

-t, --start
    Search for events starting from a specific time. Time format can be interpreted.

-te, --end
    Search for events ending at a specific time. Time format can be interpreted.

-ts, --ts
    Search for events that match a timestamp. Unix epoch time.

-v, --version
    Display version information and exit.

-w, --watch
    Continuously monitor audit log file changes and display results.

-x, --executable
    Search for events related to a specific executable path.

-if, --input
    Read input from file instead of audit logs.

-df, --dump-file
    Dump audit data to file.

The ausearch command is a powerful tool used to query the Linux Audit System logs. It allows administrators and security professionals to search for specific events based on various criteria, enabling detailed analysis of system activity and security incidents. It can filter by event ID, user ID, executable path, date/time, and more. The primary function of ausearch is to extract relevant information from the audit logs for forensics, compliance auditing, and troubleshooting. By default, ausearch reads audit records from the audit log files; however, it can also read live data from the audit event stream if used with appropriate options (-w). Output can be formatted in different ways, including raw events, human-readable text, or even XML. Understanding how to effectively use ausearch is essential for maintaining a secure and auditable Linux system. The versatility and detail provided by ausearch make it a valuable asset for system administrators and security personnel.
The command is critical to understanding and managing potential security risks.

The ausearch command requires root privileges to access audit logs. Incorrect usage can lead to excessive disk I/O. Performance can degrade significantly when searching very large log files. Time ranges must be specified carefully to avoid unintended results.
The time interpretation relies on the `dateutils` package being installed and properly configured. If not available time may be interpreted differently.

ausearch understands various time formats, including relative times like 'now', 'recent', or specific dates and times (YYYY-MM-DD HH:MM:SS). Relative times are often more user-friendly.

Audit keys allow administrators to tag specific audit rules, making it easier to search for related events using the '-k' option.

The '-i' option significantly improves readability by converting numeric IDs into user-friendly text, like usernames and group names.

auditd(8), auditctl(8), auditspd(8), audit(1), journalctl(1)