7.7. Searching the Audit Log Files

The ausearch utility allows you to search Audit log files for specific events. By default, ausearch searches the /var/log/audit/audit.log file. You can specify a different file using the ausearch options -if file_name command. Supplying multiple options in one ausearch command is equivalent to using the AND operator.

Example 7.6. Using ausearch to search Audit log files

To search the /var/log/audit/audit.log file for failed login attempts, use the following command:

ausearch --message USER_LOGIN --success no --interpret

~]# ausearch --message USER_LOGIN --success no --interpret

Copy to Clipboard

Toggle word wrap

To search for all account, group, and role changes, use the following command:

ausearch -m ADD_USER -m DEL_USER -m ADD_GROUP -m USER_CHAUTHTOK -m DEL_GROUP -m CHGRP_ID -m ROLE_ASSIGN -m ROLE_REMOVE -i

~]# ausearch -m ADD_USER -m DEL_USER -m ADD_GROUP -m USER_CHAUTHTOK -m DEL_GROUP -m CHGRP_ID -m ROLE_ASSIGN -m ROLE_REMOVE -i

Copy to Clipboard

Toggle word wrap

To search for all logged actions performed by a certain user, using the user's login ID (auid), use the following command:

ausearch -ua 500 -i

~]# ausearch -ua 500 -i

Copy to Clipboard

Toggle word wrap

To search for all failed system calls from yesterday up until now, use the following command:

ausearch --start yesterday --end now -m SYSCALL -sv no -i

~]# ausearch --start yesterday --end now -m SYSCALL -sv no -i

Copy to Clipboard

Toggle word wrap

For a full listing of all ausearch options, see the ausearch(8) man page.

返回顶部

此内容没有您所选择的语言版本。

7.7. Searching the Audit Log Files

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links