-a, --event audit-event-id
Search for an event based on the given event ID. Messages
always start with something like
msg=audit(1116360555.329:2401771). The event ID is the
number after the ':'. All audit events that are recorded
from one application's syscall have the same audit event
ID. A second syscall made by the same application will
have a different event ID. This way they are unique.
--arch CPU
Search for events based on a specific CPU architecture.
If you do not know the arch of your machine but you want
to use the 32 bit syscall table and your machine supports
32 bits, you can also use b32 for the arch. The same
applies to the 64 bit syscall table, you can use b64. The
arch of your machine can be found by doing 'uname -m'.
-c, --comm comm-name
Search for an event based on the given comm name. The comm
name is the executable's name from the task structure.
--debug
Write malformed events that are skipped to stderr.
--checkpoint checkpoint-file
Checkpoint the output between successive invocations of
ausearch such that only events not previously output will
print in subsequent invocations.
An auditd event is made up of one or more records. When
processing events, ausearch defines events as either
complete or in-complete. A complete event is either a
single record event or one whose event time occurred 2
seconds in the past compared to the event being currently
processed.
A checkpoint is achieved by recording the last completed
event output along with the device number and inode of the
file the last completed event appeared in checkpoint-file.
On a subsequent invocation, ausearch will load this
checkpoint data and as it processes the log files, it will
discard all complete events until it matches the
checkpointed one. At this point, it will start outputting
complete events.
Should the file or the last checkpointed event not be
found, one of a number of errors will result and ausearch
will terminate. See EXIT STATUS for detail.
--eoe-timeout seconds
Set the end of event parsing timeout. See
end_of_event_timeout in auditd.conf(5) for details. Note
that setting this value will override any configured value
found in /etc/auditd/auditd.conf.
-e, --exit exit-code-or-errno
Search for an event based on the given syscall exit code
or errno.
--escape option
This option determines if the output is escaped to make
the content safer for certain uses. The options are raw ,
tty , shell , and shell_quote. Each mode includes the
characters of the preceding mode and escapes more
characters. That is to say shell includes all characters
escaped by tty and adds more. tty is the default.
--extra-keys
When the format mode is csv, this option will add a final
column with key information if its exists for the event.
This would only occur on SYSCALL records which were the
result of triggering an audit rule that defines a key.
--extra-labels
When the format mode is csv, this option will add columns
of information about subject and object labels when they
exist.
--extra-obj2
When the format mode is csv, this option will add columns
of information about a second object when it exists. It's
rare that a second object is part of a record. Some
examples are when a file is renamed from one name to
another or when a device is mounted to a path.
--extra-time
When the format mode is csv, this option will add columns
of information about broken down time to make subsetting
easier.
-f, --file file-name
Search for an event based on the given filename. The
argument will match normal files as well as af_unix
sockets.
--format option
Events that match the search criteria are formatted using
this option. The supported formats are: raw, default,
interpret, csv, and text. The raw option is described
under the --raw command line option. The default option is
what you get when no formatting options are passed. It
includes one line as a visual separator which indicates
the time stamp and then the records of the event follow.
The interpret option is explained under the -i command
line option. The csv option outputs the results of the
search as a normalized event in comma separated value
(CSV) format suitable for import into analytical programs.
The text option turns the event into an English sentence
that is easier to understand than other options, but it
comes at the expense of loss of detail. In most cases this
is perfectly fine since the original event still retains
all the original information.
-ga, --gid-all all-group-id
Search for an event with either effective group ID or
group ID matching the given group ID.
-ge, --gid-effective effective-group-id
Search for an event with the given effective group ID or
group name.
-gi, --gid group-id
Search for an event with the given group ID or group name.
-h, --help
Help
-hn, --host host-name
Search for an event with the given host name. The hostname
can be either a hostname, fully qualified domain name, or
numeric network address. No attempt is made to resolve
numeric addresses to domain names or aliases. This search
typically correlates to the addr or host field of audit
events. Also see the --node command which searches the
node field.
-i, --interpret
Interpret numeric entities into text. For example, uid is
converted to account name. If the audit logs are
unenriched, the conversion is done using the current
resources of the machine where the search is being run. If
you have renamed the accounts, or don't have the same
accounts on your machine, you could get misleading
results. If the logs are enriched, it uses the
supplemental data to do the conversion. This allows
accurate log reporting even when run on a different
machine than the original logs came from.
-if, --input file-name | directory
Use the given file or directory instead of the logs. This
is to aid analysis where the logs have been moved to
another machine or only part of a log was saved. The path
length is limited to 4064 bytes.
--input-logs
Use the log file location from auditd.conf as input for
searching. This is needed if you are using ausearch from a
cron job.
--just-one
Stop after emitting the first event that matches the
search criteria.
-k, --key key-string
Search for an event based on the given key string.
-l, --line-buffered
Flush output on every line. Most useful when stdout is
connected to a pipe and the default block buffering
strategy is undesirable. May impose a performance penalty.
-m, --message message-type | comma-sep-message-type-list
Search for an event matching the given message type.
(Message types are also known as record types.) You may
also enter a comma separated list of message types or
multiple individual message types each with its own -m
option. There is an ALL message type that doesn't exist in
the actual logs. It allows you to get all messages in the
system. The list of valid messages types is long. The
program will display the list whenever no message type is
passed with this parameter. The message type can be either
text or numeric. If you enter a list, there can be only
commas and no spaces separating the list.
-n, --node
Search for events originating from a specific machine.
Multiple nodes are allowed, and if any nodes match, the
event is matched. This search uses the node field in audit
events. Also see the --host command which search for
events related to host information in the audit trail.
-o, --object SE-Linux-context-string
Search for event with tcontext (object) matching the
string.
-p, --pid process-id
Search for an event matching the given process ID.
-pp, --ppid parent-process-id
Search for an event matching the given parent process ID.
-r, --raw
Output is completely unformatted. This is useful for
extracting records to a file that can still be interpreted
by audit tools or when piping to other audit tools.
-sc, --syscall syscall-name-or-value
Search for an event matching the given syscall. You may
either give the numeric syscall value or the syscall name.
If you give the syscall name, it will use the syscall
table for the machine that you are using.
-se, --context SE-Linux-context-string
Search for event with either scontext/subject or
tcontext/object matching the string.
--session Login-Session-ID
Search for events matching the given Login Session ID.
This process attribute is set when a user logs in and can
tie any process to a particular user login.
-su, --subject SE-Linux-context-string
Search for event with scontext (subject) matching the
string.
-sv, --success success-value
Search for an event matching the given success value.
Legal values are yes and no.
-te, --end [end-date] [end-time]
Search for events with time stamps equal to or before the
given end time. The format of end time depends on your
locale. You can check the format of your locale by running
date '+%x'. If the date is omitted, today is assumed. If
the time is omitted, now is assumed. Use 24 hour clock
time rather than AM or PM to specify time. An example date
using the en_US.utf8 locale is 09/03/2009. An example of
time is 18:00:00. The date format accepted is influenced
by the LC_TIME environmental variable.
You may also use the word: now, recent, boot, today,
yesterday, this-week, week-ago, this-month, or this-year.
Now means starting now. Recent is 10 minutes ago. Boot
means the time of day to the second when the system last
booted. Today means now. Yesterday is 1 second after
midnight the previous day. This-week means starting 1
second after midnight on day 0 of the week determined by
your locale (see localtime). Week-ago means 1 second after
midnight exactly 7 days ago. This-month means 1 second
after midnight on day 1 of the month. This-year means the
1 second after midnight on the first day of the first
month.
-ts, --start [start-date] [start-time]
Search for events with time stamps equal to or after the
given start time. The format of start time depends on your
locale. You can check the format of your locale by running
date '+%x'. If the date is omitted, today is assumed. If
the time is omitted, midnight is assumed. Use 24 hour
clock time rather than AM or PM to specify time. An
example date using the en_US.utf8 locale is 09/03/2009. An
example of time is 18:00:00. The date format accepted is
influenced by the LC_TIME environmental variable.
You may also use the word: now, recent, boot, today,
yesterday, this-week, week-ago, this-month, this-year, or
checkpoint. Boot means the time of day to the second when
the system last booted. Today means starting at 1 second
after midnight. Recent is 10 minutes ago. Yesterday is 1
second after midnight the previous day. This-week means
starting 1 second after midnight on day 0 of the week
determined by your locale (see localtime). Week-ago means
starting 1 second after midnight exactly 7 days ago.
This-month means 1 second after midnight on day 1 of the
month. This-year means the 1 second after midnight on the
first day of the first month.
checkpoint means ausearch will use the timestamp found
within a valid checkpoint file ignoring the recorded
inode, device, serial, node and event type also found
within a checkpoint file. Essentially, this is the
recovery action should an invocation of ausearch with a
checkpoint option fail with an exit status of 10, 11 or
12. It could be used in a shell script something like:
ausearch --checkpoint /etc/audit/auditd_checkpoint.txt -i
_au_status=$?
if test ${_au_status} eq 10 -o ${_au_status} eq 11 -o ${_au_status} eq 12
then
ausearch --checkpoint /etc/audit/auditd_checkpoint.txt --start checkpoint -i
fi
-tm, --terminal terminal
Search for an event matching the given terminal value.
Some daemons such as cron and atd use the daemon name for
the terminal.
-ua, --uid-all all-user-id
Search for an event with either user ID, effective user
ID, or login user ID (auid) matching the given user ID.
-ue, --uid-effective effective-user-id
Search for an event with the given effective user ID.
-ui, --uid user-id
Search for an event with the given user ID.
-ul, --loginuid login-id
Search for an event with the given login user ID. All
entry point programs that are PAMified need to be
configured with pam_loginuid required for the session for
searching on loginuid (auid) to be accurate.
-uu, --uuid guest-uuid
Search for an event with the given guest UUID.
-v, --version
Print the version and exit
-vm, --vm-name guest-name
Search for an event with the given guest name.
-w, --word
String based matches must match the whole word. This
category of matches include: filename, hostname, terminal,
keys, and SE Linux context.
-x, --executable executable
Search for an event matching the given executable name.
