snippetbashTip
ausearch — Query the Linux audit log for events. Part of the `audit` package. See also: `audit2why`, `audit2all
Viewed 0 times
thecommandausearchauditclilogquerylinux
linux
Problem
How to use the
ausearch command: Query the Linux audit log for events. Part of the audit package. See also: audit2why, audit2allow, aureport. More information: <https://manned.org/ausearch>.Solution
ausearch — Query the Linux audit log for events. Part of the audit package. See also: audit2why, audit2allow, aureport. More information: <https://manned.org/ausearch>.Search for all SELinux AVC denial events:
sudo ausearch {{[-m|--message]}} avcSearch for events related to a specific executable:
sudo ausearch {{[-c|--comm]}} {{httpd}}Search for events from a specific user:
sudo ausearch {{[-ui|--uid]}} {{1000}}Search for events in the last 10 minutes:
sudo ausearch {{[-ts|--start]}} recentSearch for failed login attempts:
sudo ausearch {{[-m|--message]}} user_login {{[-sv|--success]}} noSearch for events related to a specific file:
sudo ausearch {{[-f|--file]}} {{path/to/file}}Display results in raw format for further processing:
sudo ausearch {{[-m|--message]}} avc --rawCode Snippets
Search for all SELinux AVC denial events
sudo ausearch {{[-m|--message]}} avcSearch for events related to a specific executable
sudo ausearch {{[-c|--comm]}} {{httpd}}Search for events from a specific user
sudo ausearch {{[-ui|--uid]}} {{1000}}Search for events in the last 10 minutes
sudo ausearch {{[-ts|--start]}} recentSearch for failed login attempts
sudo ausearch {{[-m|--message]}} user_login {{[-sv|--success]}} noContext
tldr-pages: linux/ausearch
Revisions (0)
No revisions yet.