CentOS Stream 8
Sponsored Link

Auditd : Display Summary Logs with aureport2021/03/04
 
It's possible to display Audit logs summarily with [aureport] command that is included in Audit package.
[1] This is how to use [aureport] command.
# display whole summary without arguments

[root@dlp ~]#
aureport 


Summary Report
======================
Range of time in logs: 02/18/2021 15:51:55.319 - 03/04/2021 17:08:55.178
Selected time for report: 02/18/2021 15:51:55 - 03/04/2021 17:08:55.178
Number of changes in configuration: 723
Number of changes to accounts, groups, or roles: 5
Number of logins: 19
Number of failed logins: 1
Number of authentications: 23
Number of failed authentications: 3
Number of users: 3
Number of terminals: 4
Number of host names: 5
Number of executables: 17
Number of commands: 19
Number of files: 1
Number of AVC's: 15
Number of MAC events: 53
Number of failed syscalls: 15
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 45
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 303
Number of events: 3070
# display kind of authentication logs

[root@dlp ~]#
aureport -au 


Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 02/18/2021 15:52:50 root localhost.localdomain ttyS0 /usr/bin/login yes 58
2. 02/24/2021 14:21:48 root localhost.localdomain ttyS0 /usr/bin/login yes 52
3. 02/24/2021 14:33:49 root localhost.localdomain ttyS0 /usr/bin/login yes 78
4. 02/24/2021 15:27:54 root localhost.localdomain ttyS0 /usr/bin/login yes 80
5. 02/25/2021 11:45:03 root localhost.localdomain ttyS0 /usr/bin/login yes 82
6. 02/25/2021 11:46:04 root dlp.srv.world ttyS0 /usr/bin/login yes 78
7. 02/25/2021 12:00:00 cent dlp.srv.world ttyS0 /usr/bin/su yes 95
.....
.....
24. 03/04/2021 15:57:09 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 182
25. 03/04/2021 15:57:14 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 183
26. 03/04/2021 16:04:34 root dlp.srv.world ttyS0 /usr/bin/login yes 195
# display kind of failure authentication logs

[root@dlp ~]#
aureport -au --failed --summary 


Failed Authentication Summary Report
=============================
total  acct
=============================
3  cent
1  root
# display kind of modification of user accounts logs

[root@dlp ~]#
aureport -m -i 


Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 02/24/2021 19:26:45 root ? ? /usr/sbin/groupadd dbus no 77
2. 02/24/2021 19:26:45 root ? ? /usr/sbin/useradd dbus no 78
3. 02/25/2021 18:27:46 root ? ? /usr/sbin/groupadd ? yes 134
4. 02/25/2021 18:27:46 root ? ? /usr/sbin/groupadd ? yes 135
5. 02/25/2021 18:27:47 root ? ? /usr/sbin/useradd apache yes 136
6. 03/01/2021 21:02:29 root ? ? /usr/sbin/useradd testuser yes 137
# display kind of modification of user accounts logs since this month

[root@dlp ~]#
aureport -m -i --start this-month 


Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 03/01/2021 21:02:29 root ? ? /usr/sbin/useradd testuser yes 137
# display kind of executing logs

[root@dlp ~]#
aureport -x -i 


Executable Report
====================================
# date time exe term host auid event
====================================
1. 02/18/2021 15:51:55 /usr/sbin/auditctl (none) ? unset 5
2. 02/18/2021 15:51:55 /usr/sbin/auditctl (none) ? unset 6
3. 02/18/2021 15:51:55 /usr/sbin/auditctl (none) ? unset 7
4. 02/18/2021 15:51:55 /usr/lib/systemd/systemd ? ? unset 8
5. 02/18/2021 15:51:55 /usr/lib/systemd/systemd-update-utmp ? ? unset 9

.....
.....

3012. 03/04/2021 17:16:39 /usr/lib/systemd/systemd ? ? unset 233
3013. 03/04/2021 17:16:39 /usr/bin/login ttyS0 dlp.srv.world root 234
3014. 03/04/2021 17:16:39 /usr/bin/login ttyS0 dlp.srv.world root 235
3015. 03/04/2021 17:16:39 /usr/bin/login ttyS0 dlp.srv.world root 236
3016. 03/04/2021 17:17:00 /usr/lib/systemd/systemd ? ? unset 237
# display kind of executing logs from 2021/3/1 to 2021/3/2

[root@dlp ~]#
aureport -x -i --start 03/01/2021 --end 03/02/2021 


Executable Report
====================================
# date time exe term host auid event
====================================
1. 03/02/2021 15:00:42 /usr/sbin/auditctl (none) ? unset 5
2. 03/02/2021 15:00:42 /usr/sbin/auditctl (none) ? unset 6
3. 03/02/2021 15:00:42 /usr/sbin/auditctl (none) ? unset 7
4. 03/02/2021 15:00:42 /usr/lib/systemd/systemd ? ? unset 8
5. 03/02/2021 15:00:43 /usr/lib/systemd/systemd-update-utmp ? ? unset 9

.....
.....

754. 03/02/2021 16:02:46 /usr/lib/systemd/systemd ? ? unset 106
755. 03/02/2021 16:02:46 /usr/lib/systemd/systemd ? ? unset 107
756. 03/02/2021 16:02:46 /usr/lib/systemd/systemd ? ? unset 108
757. 03/02/2021 16:30:19 /usr/lib/systemd/systemd ? ? unset 109
758. 03/02/2021 16:30:19 /usr/lib/systemd/systemd ? ? unset 110
[2] Search and Display logs with [ausearch] and [aureport] like follows.
# search and display sudo logs by UserID 1000

[root@dlp ~]#
ausearch -x sudo -ua 1000 | aureport -au 


Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 03/04/2021 19:54:46 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 133
2. 03/04/2021 19:57:09 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 182
3. 03/04/2021 19:57:14 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 183
# search and display executing logs by UserID 1000

[root@dlp ~]#
ausearch -ui 1000 | aureport -x -i 


Executable Report
====================================
# date time exe term host auid event
====================================
1. 03/04/2021 15:49:30 /usr/bin/su ttyS0 node01.srv.world cent 135
2. 03/04/2021 15:49:30 /usr/bin/su ttyS0 node01.srv.world cent 136
3. 03/04/2021 15:49:30 /usr/bin/su ttyS0 node01.srv.world cent 137
4. 03/04/2021 15:49:30 /usr/bin/su ttyS0 node01.srv.world cent 138
5. 03/04/2021 15:54:46 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 133

.....
.....

12. 03/04/2021 15:57:09 /usr/bin/sudo /dev/ttyS0 dlp.srv.world cent 182
13. 03/04/2021 15:57:14 /usr/bin/sudo /dev/ttyS0 dlp.srv.world cent 183
14. 03/04/2021 15:57:15 /usr/bin/sudo ttyS0 ? cent 184
Matched Content