Auditd : Display Summary Logs with aureport2023/02/20 |
It's possible to display Audit logs summarily with [aureport] command that is included in Audit package.
|
|
[1] | This is how to use [aureport] command. |
# display whole summary without arguments [root@dlp ~]# aureport Summary Report ====================== Range of time in logs: 11/25/2021 18:25:45.522 - 03/10/2022 23:26:12.211 Selected time for report: 11/25/2021 18:25:45 - 03/10/2022 23:26:12.211 Number of changes in configuration: 225 Number of changes to accounts, groups, or roles: 6 Number of logins: 23 Number of failed logins: 0 Number of authentications: 25 Number of failed authentications: 4 Number of users: 3 Number of terminals: 4 Number of host names: 5 Number of executables: 18 Number of commands: 14 Number of files: 1 Number of AVC's: 11 Number of MAC events: 64 Number of failed syscalls: 11 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 22 Number of integrity events: 0 Number of virt events: 0 Number of keys: 0 Number of process IDs: 171 Number of events: 3755 # display kind of authentication logs [root@dlp ~]# aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 11/25/2021 18:26:50 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 69 2. 11/26/2021 01:22:54 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 61 3. 12/07/2021 22:31:29 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 64 4. 12/07/2021 22:36:31 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 50 5. 12/20/2021 18:55:21 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 64 ..... ..... 25. 03/10/2022 23:25:15 root dlp.srv.world /dev/ttyS0 /usr/bin/su no 406 26. 03/10/2022 23:25:26 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 410 27. 03/10/2022 23:25:30 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 411 28. 03/10/2022 23:25:33 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 412 29. 03/10/2022 23:25:41 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 422 # display kind of failure authentication logs [root@dlp ~]# aureport -au --failed --summary Failed Authentication Summary Report ============================= total acct ============================= 3 alma 1 root # display kind of modification of user accounts logs [root@dlp ~]# aureport -m -i Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 03/10/2022 22:04:12 root ? ? /usr/sbin/groupadd ? yes 146 2. 03/10/2022 22:04:12 root ? ? /usr/sbin/groupadd ? yes 147 3. 03/10/2022 22:04:12 root ? ? /usr/sbin/useradd apache yes 148 4. 03/10/2022 23:19:46 root ? ? /usr/sbin/groupadd ? yes 125 5. 03/10/2022 23:19:46 root ? ? /usr/sbin/groupadd ? yes 126 6. 03/10/2022 23:19:46 root ? ? /usr/sbin/useradd apache yes 127 # display kind of modification of user accounts logs since this month [root@dlp ~]# aureport -m -i --start this-month Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 03/10/2022 22:04:12 root ? ? /usr/sbin/groupadd ? yes 146 2. 03/10/2022 22:04:12 root ? ? /usr/sbin/groupadd ? yes 147 3. 03/10/2022 22:04:12 root ? ? /usr/sbin/useradd apache yes 148 4. 03/10/2022 23:19:46 root ? ? /usr/sbin/groupadd ? yes 125 5. 03/10/2022 23:19:46 root ? ? /usr/sbin/groupadd ? yes 126 6. 03/10/2022 23:19:46 root ? ? /usr/sbin/useradd apache yes 127 # display kind of executing logs [root@dlp ~]# aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 11/25/2021 18:25:45 /usr/sbin/auditctl (none) ? unset 5 2. 11/25/2021 18:25:45 /usr/sbin/auditctl (none) ? unset 6 3. 11/25/2021 18:25:45 /usr/sbin/auditctl (none) ? unset 7 4. 11/25/2021 18:25:45 /usr/lib/systemd/systemd ? ? unset 8 5. 11/25/2021 18:25:45 /usr/lib/systemd/systemd-update-utmp ? ? unset 9 ..... ..... 2694. 03/10/2022 23:25:47 /usr/lib/systemd/systemd ? ? unset 441 2695. 03/10/2022 23:25:47 /usr/lib/systemd/systemd ? ? unset 442 2696. 03/10/2022 23:26:04 /usr/lib/systemd/systemd ? ? unset 162 2697. 03/10/2022 23:26:04 /usr/lib/systemd/systemd ? ? unset 163 2698. 03/10/2022 23:26:12 /usr/lib/systemd/systemd ? ? unset 443 # display kind of executing logs from 2022/3/10 to 2022/3/11 [root@dlp ~]# aureport -x -i --start 03/10/2022 --end 03/11/2022 Executable Report ==================================== # date time exe term host auid event ==================================== 1. 03/10/2022 18:59:36 /usr/sbin/auditctl (none) ? unset 5 2. 03/10/2022 18:59:36 /usr/sbin/auditctl (none) ? unset 6 3. 03/10/2022 18:59:36 /usr/sbin/auditctl (none) ? unset 7 4. 03/10/2022 18:59:36 /usr/lib/systemd/systemd ? ? unset 8 5. 03/10/2022 18:59:36 /usr/lib/systemd/systemd-update-utmp ? ? unset 9 ..... ..... 903. 03/10/2022 23:25:47 /usr/lib/systemd/systemd ? ? unset 441 904. 03/10/2022 23:25:47 /usr/lib/systemd/systemd ? ? unset 442 905. 03/10/2022 23:26:04 /usr/lib/systemd/systemd ? ? unset 162 906. 03/10/2022 23:26:04 /usr/lib/systemd/systemd ? ? unset 163 907. 03/10/2022 23:26:12 /usr/lib/systemd/systemd ? ? unset 443 |
[2] | Search and Display logs with [ausearch] and [aureport] like follows. |
# search and display sudo logs by UserID 1000 [root@dlp ~]# ausearch -x sudo -ua 1000 | aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 03/10/2022 23:21:54 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 341 2. 03/10/2022 23:25:26 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 410 3. 03/10/2022 23:25:30 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 411 4. 03/10/2022 23:25:33 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 412 # search and display executing logs by UserID 1000 [root@dlp ~]# ausearch -ui 1000 | aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 03/10/2022 23:21:19 /usr/bin/su /dev/ttyS0 dlp.srv.world alma 280 2. 03/10/2022 23:21:19 /usr/bin/su /dev/ttyS0 dlp.srv.world alma 281 3. 03/10/2022 23:21:19 /usr/bin/su /dev/ttyS0 dlp.srv.world alma 282 4. 03/10/2022 23:21:19 /usr/bin/su /dev/ttyS0 dlp.srv.world alma 283 5. 03/10/2022 23:21:32 /usr/bin/su /dev/ttyS0 dlp.srv.world alma 284 ..... ..... 15. 03/10/2022 23:25:26 /usr/bin/sudo /dev/ttyS0 dlp.srv.world alma 410 16. 03/10/2022 23:25:30 /usr/bin/sudo /dev/ttyS0 dlp.srv.world alma 411 17. 03/10/2022 23:25:33 /usr/bin/sudo /dev/ttyS0 dlp.srv.world alma 412 18. 03/10/2022 23:25:35 /usr/bin/sudo ttyS0 ? alma 413 |
Sponsored Link |