Command To Search Audit Logs in AlmaLinux / RHEL

This guide will show you how to Use Ausearch Command to Search Audit Logs File in AlmaLinux / RHEL. An Audit log is a record of events and changes in your system. In simple words, Audit logs capture events by recording who runs the event, what the activity is, and how the system responds to it.

You can simply view the Audit logs under the /var/log/audit/audit.log file directory. Now proceed to the following steps to see how you can do this.

Use Ausearch Command To Search Audit Logs in AlmaLinux / RHEL

If you want to view the Audit logs file, you can use a simple command line utility named Ausearch. This command will help you search audit logs based on different queries such as hostname, ID, command name, etc.

Now you can log in to your AlmaLinux or any RHEL server such as Rocky Linux, or Fedora, and follow the steps below to complete this guide.

Step 1 – View /var/log/audit/audit.log File in AlmaLinux / RHEL

As we said, the ausearch command will query the /var/log/audit/audit.log File. To view this file, you can simply use the following command:

cat /var/log/audit/audit.log

In your output, you will see something similar to this:

View /var/log/audit/audit.log File

As you can see, there is a lot of data and may be difficult to search and read. So you can use the ausearch command to make it easier to search in your RHEL-based distros.

Step 2 – The ausearch Command Syntax in AlmaLinux / RHEL

The usage of ausearch is simple and easy. The general syntax of using this command is like the following command:

ausearch [options]

At this point, you can proceed to the following steps to see the examples of using the ausearch command in AlmaLinux and RHEL servers.

Step 3 – Search with Process ID in Audit Logs

You can simply search Audit logs with Process IDs by using the -p flag in the ausearch command. To do this, you can use the following syntax:

ausearch -p process-id

For example, we search for process ID 4534:

ausearch -p 4534

Example Output:

Search with Process ID in Audit Logs

This command will you the specific data just about your Process ID you have defined in the command.

Step 4 – Search for Failed Login Attempts in Audit Logs

If you want to find the failed login attempts in AlmaLinux and RHEL, you can simply use the -m option to display specific messages and -sv to get the success value. To do this, you can run the command below:

ausearch -m USER_LOGIN -sv no 

Example Output:

Failed Login Attempts in Audit Logs

Step 5 – Display User Activity in Audit Logs

At this point, if you plan to find your user activities, you can simply use the -ua option in the ausearch command. To do this, you can use the command below:

ausearch -ua user-name

Example Output:

Display User Activity in Audit Logs

Also, you can specify the time to the above command. You can use the -ts for the start date or time, and use the -te for the end of the date or time. Simply you can use phrases such as yesterday, this-week, week-ago, this-year, etc, instead of using the exact time formats.

For example:

ausearch -ua user-name -ts yesterday -te now -i 

Step 6 – Display System Changes in Audit Logs in AlmaLinux / RHEL

You can also view your system changes such as user accounts, groups, and roles in the Audit logs file. To do this, you can use the following command and specify the comma between your queries:

ausearch -m ADD_USER,DEL_USER,USER_CHAUTHTOK,ADD_GROUP,DEL_GROUP,CHGRP_ID,ROLE_ASSIGN,ROLE_REMOVE  -i

Step 7 – The ausearch Command – Other Options

For more information about the ausearch command and to get more options, you can simply run the help command:

ausearch --help
more information about the ausearch command

Or you can simply read the man page:

man ausearch

Conclusion

At this point, you have learned to Use the ausearch command to search the Audit Logs File in AlmaLinux / RHEL servers. As you can see, the Audit logs file is complicated to read and search, but the ausearch command line utility makes it easy to read and search with your desired options and queries.

Hope you enjoy it. Also, you may interested in these articles:

Install KDE Plasma Desktop on Linux Mint 21.2

Set up FirewallD GUI on Fedora Linux 39

Steps To Run PHP 8.3 on Linux Mint 21

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Leave a Reply

Stay informed and not overwhelmed, subscribe now!