CentOS 7
Ads

Auditd : Display Logs with aureport
2016/02/21
 
It's possible to display Audit logs summarily with aureport command which is included in Audit package.
[1] This is how to use aureport command.
# display whole summary without arguments

[root@dlp ~]#
aureport

Summary Report
======================
Range of time in logs: 08/08/2015 02:09:42.093 - 02/25/2016 17:01:01.950
Selected time for report: 08/08/2015 02:09:42 - 02/25/2016 17:01:01.950
Number of changes in configuration: 299
Number of changes to accounts, groups, or roles: 18
Number of logins: 18
Number of failed logins: 3
Number of authentications: 30
Number of failed authentications: 3
Number of users: 3
Number of terminals: 7
Number of host names: 3
Number of executables: 15
Number of commands: 41
Number of files: 0
Number of AVC's: 0
Number of MAC events: 2
Number of failed syscalls: 0
Number of anomaly events: 2
Number of responses to anomaly events: 0
Number of crypto events: 74
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 407
Number of events: 1955

# display kind of authentication logs

[root@dlp ~]#
aureport -au

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 08/08/2015 02:09:52 root ? ttyS0 /usr/bin/login yes 332
2. 08/08/2015 02:20:27 root ? ttyS0 /usr/bin/login yes 34
3. 08/17/2015 10:40:03 root ? ttyS0 /usr/bin/login yes 33
.....
.....
20. 02/23/2016 11:09:46 cent 10.0.0.20 ssh /usr/sbin/sshd yes 118
21. 02/23/2016 11:13:26 cent ? ttyS0 /usr/bin/login no 147

# display kind of failure authentication logs

[root@dlp ~]#
aureport -au --failed --summary

Failed Authentication Summary Report
=============================
total  acct
=============================
1  root
1  cent

# display kind of modification of user accounts logs

[root@dlp ~]#
aureport -m -i

Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 08/08/2015 02:10:21 root ? ttyS0 /usr/sbin/useradd cent no 342
2. 08/08/2015 02:19:25 root ? ? /usr/sbin/groupadd ? yes 370
3. 08/08/2015 02:19:26 root ? ? /usr/sbin/groupadd ? yes 371
.....
.....
17. 02/08/2016 11:12:41 root ? ? /usr/sbin/groupadd ntp no 45
18. 02/08/2016 11:12:41 root ? ? /usr/sbin/useradd ntp no 46

# display kind of modification of user accounts logs since this month

[root@dlp ~]#
aureport -m -i --start this-month

Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 02/08/2016 11:12:41 root ? ? /usr/sbin/groupadd ntp no 45
2. 02/08/2016 11:12:41 root ? ? /usr/sbin/useradd ntp no 46

# display kinf of executing logs

[root@dlp ~]#
aureport -x -i


Executable Report
====================================
# date time exe term host auid event
====================================
1. 08/08/2015 02:09:42 /usr/lib/systemd/systemd ? ? unset 6
2. 08/08/2015 02:09:42 /usr/lib/systemd/systemd-update-utmp ? ? unset 7
3. 08/08/2015 02:09:42 /usr/lib/systemd/systemd ? ? unset 8
.....
.....
1422. 02/23/2016 17:01:01 /usr/sbin/crond cron ? root 211
1423. 02/23/2016 17:01:01 /usr/sbin/crond cron ? root 212

# display kinf of executing logs from 2016/2/7 to 2016/2/21

[root@dlp ~]#
aureport -x -i --start 02/07/2016 --end 02/21/2016

Executable Report
====================================
# date time exe term host auid event
====================================
1. 02/08/2016 11:11:47 /usr/lib/systemd/systemd ? ? unset 5
2. 02/08/2016 11:11:47 /usr/lib/systemd/systemd-update-utmp ? ? unset 6
3. 02/08/2016 11:11:47 /usr/lib/systemd/systemd ? ? unset 7
.....
.....
87. 02/08/2016 11:14:08 /usr/lib/systemd/systemd ? ? unset 92
88. 02/08/2016 11:14:08 /usr/lib/systemd/systemd ? ? unset 93
[3] Search and Display logs with ausearch and aureport like follows.
# search and display authentication logs on dlp.srv.world

[root@dlp ~]#
ausearch --node dlp.srv.world | aureport -au

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 02/25/2016 16:55:35 cent ? ttyS0 /usr/bin/su yes 103
2. 02/25/2016 16:55:44 cent ? /dev/ttyS0 /usr/bin/sudo yes 107
3. 02/26/2016 09:21:35 root ? ttyS0 /usr/bin/login yes 38
4. 02/26/2016 09:50:32 root ? ttyS0 /usr/bin/login yes 38

# search and display executing logs by UserID 1000

[root@dlp ~]#
ausearch -ui 1000 | aureport -x -i

Executable Report
====================================
# date time exe term host auid event
====================================
1. 02/23/2016 09:52:23 /usr/bin/sudo /dev/ttyS0 ? cent 49
2. 02/23/2016 09:52:23 /usr/bin/sudo /dev/ttyS0 ? cent 50
3. 02/23/2016 09:55:06 /usr/bin/su ttyS0 ? cent 80
.....
.....
15. 02/26/2016 09:48:50 /usr/bin/sudo /dev/ttyS0 ? cent 52
 
Tweet