7.8. Creating Audit Reports
The aureport utility allows you to generate summary and columnar reports on the events recorded in Audit log files. By default, all
audit.log files in the /var/log/audit/ directory are queried to create the report. You can specify a different file to run the report against using the aureport options -if file_name command.
Example 7.7. Using aureport to generate Audit reports
To generate a report for logged events in the past three days excluding the current example day, use the following command:
~]# aureport --start 04/08/2013 00:00:00 --end 04/11/2013 00:00:00
To generate a report of all executable file events, use the following command:
~]# aureport -x
To generate a summary of the executable file event report above, use the following command:
~]# aureport -x --summary
To generate a summary report of failed events for all users, use the following command:
~]# aureport -u --failed --summary -i
To generate a summary report of all failed login attempts per each system user, use the following command:
~]# aureport --login --summary -i
To generate a report from an
ausearch query that searches all file access events for user 500, use the following command:
~]# ausearch --start today --loginuid 500 --raw | aureport -f --summary
To generate a report of all Audit files that are queried and the time range of events they include, use the following command:
~]# aureport -t
For a full listing of all
aureport options, see the aureport(8) man page.
