The ausearch command is a powerful tool for querying and analyzing audit logs in Linux systems. It is part of the auditd package, which provides a framework for auditing system activities. This command allows system administrators to extract meaningful information from audit logs based on a variety of search parameters. In this post, we will explore how to effectively use the ausearch command for different types of audits and troubleshooting scenarios.
What is ausearch?
ausearch is used to search through the logs generated by the audit daemon (auditd). These logs contain detailed records of system events such as user logins, file accesses, and changes to system configurations. The audit logs are typically stored in /var/log/audit/audit.log.
This tool is helpful in scenarios where you need to review specific activities on the system, track down security incidents, or troubleshoot system behavior.
Basic Syntax
The basic syntax of the ausearch command is as follows:
ausearch [options]
Where [options] are the various flags or filters used to specify what data you want to query from the audit logs.
Commonly Used ausearch Options
Searching by Time Range
If you want to search for audit events that occurred within a specific time range, you can use the -ts (start time) and -te (end time) options. The times should be provided in the format YYYY-MM-DD HH:MM:SS.
ausearch -ts 2025-01-01 00:00:00 -te 2025-01-10 23:59:59
This command will return all events between January 1, 2025, and January 10, 2025.
Searching by Event Type
The -m option allows you to search for specific types of events. Common event types include USER_ACCT for user account actions, SYSCALL for system calls, and EXECVE for executed programs.
ausearch -m USER_ACCT
This will return all user account events, such as login attempts or changes in user privileges.
Searching by UID
You can filter events by user ID (UID) using the -ui option. This is particularly useful if you’re investigating actions performed by a specific user.
ausearch -ui 1001
This command will display all audit logs associated with UID 1001.
Searching for a Specific File or Directory
To investigate activity on a specific file or directory, you can use the -f option followed by the path of the file or directory.
ausearch -f /etc/passwd
This will show all events related to the /etc/passwd file, such as file accesses or modifications.
Searching by Event ID
If you know the event ID (typically a numeric value assigned to each event), you can use the -e option to search for it directly.
ausearch -e 12345
This searches for a specific event with the ID 12345.
Searching by Process ID (PID)
You can search for events related to a specific process by using the -p option, followed by the process ID (PID).
ausearch -p 1234
This will return all audit logs associated with PID 1234.
Combining Filters
ausearch allows you to combine multiple search parameters. For example, you can search for events related to a specific user and time range:
ausearch -ui 1001 -ts 2025-01-01 -te 2025-01-10
This will display events for UID 1001 that occurred between January 1, 2025, and January 10, 2025.
Example Use Cases
Investigating Unauthorized Access Attempts
Suppose you’re investigating unauthorized access attempts on your system. You can search for failed login attempts by using the following command:
ausearch -m USER_LOGIN -sv no
This command will return all failed login attempts, where -sv no indicates unsuccessful events.
Tracking a Specific File Modification
If you’re concerned about changes to critical system files, you can search for modifications to files like /etc/passwd or /etc/shadow:
ausearch -f /etc/passwd -m PATH
This will show any events related to access or modifications of the /etc/passwd file.
Troubleshooting System Errors
If you’re troubleshooting a system crash or error, you can use ausearch to look for syscall errors or resource access issues:
ausearch -m SYSCALL -ts 2025-01-01 -te 2025-01-10
This query will help you identify system calls that might have caused the issue.
Conclusion
The ausearch command is a versatile tool for querying and analyzing audit logs in Linux. With its powerful filtering options, it enables system administrators to investigate security incidents, track system events, and troubleshoot problems effectively. Whether you are monitoring system activity or auditing specific user actions, ausearch is an invaluable tool for managing and maintaining system security.
By combining ausearch with other audit tools, you can enhance your ability to detect suspicious activities and maintain a secure Linux environment.
📝 For more information about ausearch, please review this ausearch Man Page.
