Share your love
Command To Search Audit Logs in AlmaLinux / RHEL
This guide will show you how to Use Ausearch Command to Search Audit Logs File in AlmaLinux / RHEL. An Audit log is a record of events and changes in your system. In simple words, Audit logs capture events by recording who runs the event, what the activity is, and how the system responds to it.
You can simply view the Audit logs under the /var/log/audit/audit.log file directory. Now proceed to the following steps to see how you can do this.
Use Ausearch Command To Search Audit Logs in AlmaLinux / RHEL
If you want to view the Audit logs file, you can use a simple command line utility named Ausearch. This command will help you search audit logs based on different queries such as hostname, ID, command name, etc.
Now you can log in to your AlmaLinux or any RHEL server such as Rocky Linux, or Fedora, and follow the steps below to complete this guide.
Step 1 – View /var/log/audit/audit.log File in AlmaLinux / RHEL
As we said, the ausearch command will query the /var/log/audit/audit.log File. To view this file, you can simply use the following command:
cat /var/log/audit/audit.log
In your output, you will see something similar to this:
As you can see, there is a lot of data and may be difficult to search and read. So you can use the ausearch command to make it easier to search in your RHEL-based distros.
Step 2 – The ausearch Command Syntax in AlmaLinux / RHEL
The usage of ausearch is simple and easy. The general syntax of using this command is like the following command:
ausearch [options]
At this point, you can proceed to the following steps to see the examples of using the ausearch command in AlmaLinux and RHEL servers.
Step 3 – Search with Process ID in Audit Logs
You can simply search Audit logs with Process IDs by using the -p flag in the ausearch command. To do this, you can use the following syntax:
ausearch -p process-id
For example, we search for process ID 4534:
ausearch -p 4534
Example Output:
This command will you the specific data just about your Process ID you have defined in the command.
Step 4 – Search for Failed Login Attempts in Audit Logs
If you want to find the failed login attempts in AlmaLinux and RHEL, you can simply use the -m option to display specific messages and -sv to get the success value. To do this, you can run the command below:
ausearch -m USER_LOGIN -sv no
Example Output:
Step 5 – Display User Activity in Audit Logs
At this point, if you plan to find your user activities, you can simply use the -ua option in the ausearch command. To do this, you can use the command below:
ausearch -ua user-name
Example Output:
Also, you can specify the time to the above command. You can use the -ts for the start date or time, and use the -te for the end of the date or time. Simply you can use phrases such as yesterday, this-week, week-ago, this-year, etc, instead of using the exact time formats.
For example:
ausearch -ua user-name -ts yesterday -te now -i
Step 6 – Display System Changes in Audit Logs in AlmaLinux / RHEL
You can also view your system changes such as user accounts, groups, and roles in the Audit logs file. To do this, you can use the following command and specify the comma between your queries:
ausearch -m ADD_USER,DEL_USER,USER_CHAUTHTOK,ADD_GROUP,DEL_GROUP,CHGRP_ID,ROLE_ASSIGN,ROLE_REMOVE -i
Step 7 – The ausearch Command – Other Options
For more information about the ausearch command and to get more options, you can simply run the help command:
ausearch --help
Or you can simply read the man page:
man ausearch
Conclusion
At this point, you have learned to Use the ausearch command to search the Audit Logs File in AlmaLinux / RHEL servers. As you can see, the Audit logs file is complicated to read and search, but the ausearch command line utility makes it easy to read and search with your desired options and queries.
Hope you enjoy it. Also, you may interested in these articles:
Install KDE Plasma Desktop on Linux Mint 21.2