CentOS 7
Ads

Auditd : Search Logs with ausearch
2016/02/21
 
It's possible to add your own Audit rules, though, but some rules are set by default like System Login, Modification of User Accounts, Sudo Actions and so on, there logs are recorded in /var/log/audit/audit.log.
[1] The logs are text format, so it's possible to see logs directly.
[root@dlp ~]#
tail -5 /var/log/audit/audit.log

node=dlp.srv.world type=USER_START msg=audit(1456386950.783:116): pid=10697 uid=0 auid=0 ses=1 msg='op=P...
node=dlp.srv.world type=USER_END msg=audit(1456386950.799:117): pid=10697 uid=0 auid=0 ses=1 msg='op=PAM...
node=dlp.srv.world type=CRED_DISP msg=audit(1456386950.799:118): pid=10697 uid=0 auid=0 ses=1 msg='op=PA...
node=dlp.srv.world type=USER_END msg=audit(1456386952.872:119): pid=10676 uid=0 auid=0 ses=1 msg='op=PAM...
node=dlp.srv.world type=CRED_DISP msg=audit(1456386952.872:120): pid=10676 uid=0 auid=0 ses=1 msg='op=PA...
[2] Many logs are recorded in audit.log and they are complicated, so ausearch command is provided by Audit package to search specific logs.
# search USER_LOGIN logs

[root@dlp ~]#
ausearch --message USER_LOGIN --interpret

----
node=dlp.srv.world type=USER_LOGIN msg=audit(02/26/2016 09:21:35.121:44) : pid=610 uid=root auid=root ses=...
----
node=node01.srv.world type=USER_LOGIN msg=audit(02/26/2016 09:40:29.419:46) : pid=625 uid=root auid=root s...
.....
.....
node=node01.srv.world type=USER_LOGIN msg=audit(02/26/2016 10:34:51.089:44) : pid=620 uid=root auid=root s...

# search sudo actions by userID 1000

[root@dlp ~]#
ausearch -x sudo -ua 1000

----
time->Tue Feb 23 09:52:23 2016
node=dlp.srv.world type=USER_AUTH msg=audit(1456188743.819:49): pid=960 uid=1000 auid=0 ses=1 msg='op=...
----
time->Tue Feb 23 09:52:23 2016
node=dlp.srv.world type=USER_ACCT msg=audit(1456188743.819:50): pid=960 uid=1000 auid=0 ses=1 msg='op=...
.....
.....
time->Fri Feb 26 09:48:50 2016
node=node01.srv.world type=USER_ACCT msg=audit(1456447730.031:52): pid=966 uid=1000 auid=0 ses=1 msg='...

# search failure events on dlp.srv.world

[root@dlp ~]#
ausearch --node dlp.srv.world --success no

----
time->Thu Feb 25 17:46:57 2016
node=dlp.srv.world type=USER_END msg=audit(1456390017.044:129): pid=608 uid=0 auid=0 ses=1 msg='..... res=failed'
----
time->Thu Feb 25 17:46:57 2016
node=dlp.srv.world type=SERVICE_START msg=audit(1456390017.111:147): pid=1 uid=0 auid=429496729 ..... res=failed'
.....
.....
time->Fri Feb 26 09:50:10 2016
node=dlp.srv.world type=SERVICE_STOP msg=audit(1456447810.331:63): pid=1 uid=0 auid=4294967295  ..... res=failed'

# search logs by a user who has login userID 1000 from 2016/2/7 to 2016/2/21

[root@dlp ~]#
ausearch --start 02/07/2016 --end 02/21/2016 -ul 1000

----
time->Tue Feb 7 09:54:51 2016
type=LOGIN msg=audit(1456188891.234:69): pid=976 uid=0 old-auid=4294967295 auid=1000 old-ses=4294967295 s...
----
time->Tue Feb 7 09:54:51 2016
 ype=USER_START msg=audit(1456188891.244:70): pid=976 uid=0 auid=1000 ses=2 msg='op=PAM:session_open gran...

time->Tue Feb 21 11:13:38 2016
 ype=USER_END msg=audit(1456193618.644:159): pid=8105 uid=0 auid=1000 ses=6 msg='op=PAM:session_close gra...
 
Tweet