此内容没有您所选择的语言版本。
7.7. Searching the Audit Log Files
The ausearch utility allows you to search Audit log files for specific events. By default, ausearch searches the
/var/log/audit/audit.log
file. You can specify a different file using the ausearch options -if file_name
command. Supplying multiple options in one ausearch
command is equivalent to using the AND operator.
Example 7.6. Using ausearch
to search Audit log files
To search the
/var/log/audit/audit.log
file for failed login attempts, use the following command:
~]# ausearch --message USER_LOGIN --success no --interpret
To search for all account, group, and role changes, use the following command:
~]# ausearch -m ADD_USER -m DEL_USER -m ADD_GROUP -m USER_CHAUTHTOK -m DEL_GROUP -m CHGRP_ID -m ROLE_ASSIGN -m ROLE_REMOVE -i
To search for all logged actions performed by a certain user, using the user's login ID (
auid
), use the following command:
~]# ausearch -ua 500 -i
To search for all failed system calls from yesterday up until now, use the following command:
~]# ausearch --start yesterday --end now -m SYSCALL -sv no -i
For a full listing of all
ausearch
options, see the ausearch(8) man page.