-a, --eventaudit-event-id
Search for an event based on the given eventID. Messages always start with something like
msg=audit(1116360555.329:2401771). The event ID is the number after the ':'. All audit events that
are recorded from one application's syscall have the same audit event ID. A second syscall made by
the same application will have a different event ID. This way they are unique.
--archCPU
Search for events based on a specific CPU architecture. If you do not know the arch of your
machine but you want to use the 32 bit syscall table and your machine supports 32 bits, you can
also use b32 for the arch. The same applies to the 64 bit syscall table, you can use b64. The
arch of your machine can be found by doing 'uname -m'.
-c, --commcomm-name
Search for an event based on the given commname. The comm name is the executable's name from the
task structure.
--debug
Write malformed events that are skipped to stderr.
--checkpointcheckpoint-file
Checkpoint the output between successive invocations of ausearch such that only events not
previously output will print in subsequent invocations.
An auditd event is made up of one or more records. When processing events, ausearch defines events
as either complete or in-complete. A complete event is either a single record event or one whose
event time occurred 2 seconds in the past compared to the event being currently processed.
A checkpoint is achieved by recording the last completed event output along with the device number
and inode of the file the last completed event appeared in checkpoint-file. On a subsequent
invocation, ausearch will load this checkpoint data and as it processes the log files, it will
discard all complete events until it matches the checkpointed one. At this point, it will start
outputting complete events.
Should the file or the last checkpointed event not be found, one of a number of errors will result
and ausearch will terminate. See EXITSTATUS for detail.
--eoe-timeoutseconds
Set the end of event parsing timeout. See end_of_event_timeout in auditd.conf(5) for details. Note
that setting this value will override any configured value found in /etc/auditd/auditd.conf.
-e, --exit exit-code-or-errno
Search for an event based on the given syscall exitcodeorerrno.
--escapeoption
This option determines if the output is escaped to make the content safer for certain uses. The
options are raw , tty , shell , and shell_quote. Each mode includes the characters of the
preceding mode and escapes more characters. That is to say shell includes all characters escaped
by tty and adds more. tty is the default.
--extra-keys
When the format mode is csv, this option will add a final column with key information if its
exists for the event. This would only occur on SYSCALL records which were the result of triggering
an audit rule that defines a key.
--extra-labels
When the format mode is csv, this option will add columns of information about subject and object
labels when they exist.
--extra-obj2
When the format mode is csv, this option will add columns of information about a second object
when it exists. It's rare that a second object is part of a record. Some examples are when a file
is renamed from one name to another or when a device is mounted to a path.
--extra-time
When the format mode is csv, this option will add columns of information about broken down time to
make subsetting easier.
-f, --filefile-name
Search for an event based on the given filename. The argument will match normal files as well as
af_unix sockets.
--formatoption
Events that match the search criteria are formatted using this option. The supported formats are:
raw, default, interpret, csv, and text. The raw option is described under the --raw command line
option. The default option is what you get when no formatting options are passed. It includes one
line as a visual separator which indicates the time stamp and then the records of the event
follow. The interpret option is explained under the -i command line option. The csv option outputs
the results of the search as a normalized event in comma separated value (CSV) format suitable for
import into analytical programs. The text option turns the event into an English sentence that is
easier to understand than other options, but it comes at the expense of loss of detail. In most
cases this is perfectly fine since the original event still retains all the original information.
-ga, --gid-allall-group-id
Search for an event with either effective group ID or group ID matching the given groupID.
-ge, --gid-effectiveeffective-group-id
Search for an event with the given effectivegroupID or group name.
-gi, --gidgroup-id
Search for an event with the given groupID or group name.
-h, --help
Help
-hn, --hosthost-name
Search for an event with the given hostname. The hostname can be either a hostname, fully
qualified domain name, or numeric network address. No attempt is made to resolve numeric addresses
to domain names or aliases. This search typically correlates to the addr or host field of audit
events. Also see the --node command which searches the node field.
-i, --interpret
Interpret numeric entities into text. For example, uid is converted to account name. If the audit
logs are unenriched, the conversion is done using the current resources of the machine where the
search is being run. If you have renamed the accounts, or don't have the same accounts on your
machine, you could get misleading results. If the logs are enriched, it uses the supplemental data
to do the conversion. This allows accurate log reporting even when run on a different machine than
the original logs came from.
-if, --inputfile-name | directory
Use the given file or directory instead of the logs. This is to aid analysis where the logs have
been moved to another machine or only part of a log was saved. The path length is limited to 4064
bytes.
--input-logs
Use the log file location from auditd.conf as input for searching. This is needed if you are using
ausearch from a cron job.
--just-one
Stop after emitting the first event that matches the search criteria.
-k, --keykey-string
Search for an event based on the given keystring.
-l, --line-buffered
Flush output on every line. Most useful when stdout is connected to a pipe and the default block
buffering strategy is undesirable. May impose a performance penalty.
-m, --messagemessage-type | comma-sep-message-type-list
Search for an event matching the given messagetype. (Message types are also known as record
types.) You may also enter a commaseparatedlistofmessagetypes or multiple individual message
types each with its own -m option. There is an ALL message type that doesn't exist in the actual
logs. It allows you to get all messages in the system. The list of valid messages types is long.
The program will display the list whenever no message type is passed with this parameter. The
message type can be either text or numeric. If you enter a list, there can be only commas and no
spaces separating the list.
-n, --node
Search for events originating from a specific machine. Multiple nodes are allowed, and if any
nodes match, the event is matched. This search uses the node field in audit events. Also see the
--host command which search for events related to host information in the audit trail.
-o, --objectSE-Linux-context-string
Search for event with tcontext (object) matching the string.
-p, --pidprocess-id
Search for an event matching the given processID.
-pp, --ppidparent-process-id
Search for an event matching the given parentprocessID.
-r, --raw
Output is completely unformatted. This is useful for extracting records to a file that can still
be interpreted by audit tools or when piping to other audit tools.
-sc, --syscallsyscall-name-or-value
Search for an event matching the given syscall. You may either give the numeric syscall value or
the syscall name. If you give the syscall name, it will use the syscall table for the machine that
you are using.
-se, --contextSE-Linux-context-string
Search for events with either scontext/subject or tcontext/object matching the given string.
--sessionLogin-Session-ID
Search for events matching the given Login Session ID. This process attribute is set when a user
logs in and can tie any process to a particular user login.
-su, --subjectSE-Linux-context-string
Search for event with scontext (subject) matching the string.
-sv, --successsuccess-value
Search for an event matching the given successvalue. Legal values are yes and no.
-te, --end [end-date] [end-time]
Search for events with time stamps equal to or before the given end time. The format of end time
depends on your locale. You can check the format of your locale by running date'+%x'. If the
date is omitted, today is assumed. If the time is omitted, now is assumed. Use 24 hour clock time
rather than AM or PM to specify time. An example date using the en_US.utf8 locale is 09/03/2009.
An example of time is 18:00:00. The date format accepted is influenced by the LC_TIME
environmental variable.
You may also use the word: now, recent, this-hour, boot, today, yesterday, this-week, week-ago,
this-month, or this-year. Now means starting now. Recent is 10 minutes ago. Boot means the time of
day to the second when the system last booted. Today means now. Yesterday is 1 second after
midnight the previous day. This-week means starting 1 second after midnight on day 0 of the week
determined by your locale (see localtime). Week-ago means 1 second after midnight exactly 7 days
ago. This-month means 1 second after midnight on day 1 of the month. This-year means the 1 second
after midnight on the first day of the first month.
-ts, --start [start-date] [start-time]
Search for events with time stamps equal to or after the given start time. The format of start
time depends on your locale. You can check the format of your locale by running date'+%x'. If
the date is omitted, today is assumed. If the time is omitted, midnight is assumed. Use 24 hour
clock time rather than AM or PM to specify time. An example date using the en_US.utf8 locale is
09/03/2009. An example of time is 18:00:00. The date format accepted is influenced by the LC_TIME
environmental variable.
You may also use the word: now, recent, this-hour, boot, today, yesterday, this-week, week-ago,
this-month, this-year, or checkpoint. Boot means the time of day to the second when the system
last booted. Today means starting at 1 second after midnight. Recent is 10 minutes ago. Yesterday
is 1 second after midnight the previous day. This-week means starting 1 second after midnight on
day 0 of the week determined by your locale (see localtime). Week-ago means starting 1 second
after midnight exactly 7 days ago. This-month means 1 second after midnight on day 1 of the month.
This-year means the 1 second after midnight on the first day of the first month.
checkpoint means ausearch will use the timestamp found within a valid checkpoint file ignoring the
recorded inode, device, serial, node and event type also found within a checkpoint file.
Essentially, this is the recovery action should an invocation of ausearch with a checkpoint option
fail with an exit status of 10, 11 or 12. It could be used in a shell script something like:
ausearch --checkpoint /etc/audit/auditd_checkpoint.txt -i
_au_status=$?
if test ${_au_status} eq 10 -o ${_au_status} eq 11 -o ${_au_status} eq 12
then
ausearch --checkpoint /etc/audit/auditd_checkpoint.txt --start checkpoint -i
fi
-tm, --terminalterminal
Search for an event matching the given terminal value. Some daemons such as cron and atd use the
daemon name for the terminal.
-ua, --uid-allall-user-id
Search for an event with either user ID, effective user ID, or login user ID (auid) matching the
given userID.
-ue, --uid-effectiveeffective-user-id
Search for an event with the given effectiveuserID.
-ui, --uiduser-id
Search for an event with the given userID.
-ul, --loginuidlogin-id
Search for an event with the given loginuserID. All entry point programs that are PAMified need
to be configured with pam_loginuid required for the session for searching on loginuid (auid) to be
accurate.
-uu, --uuidguest-uuid
Search for an event with the given guestUUID.
-v, --version
Print the version and exit
-vm, --vm-nameguest-name
Search for an event with the given guestname.
-w, --word
String based matches must match the whole word. This category of matches include: filename,
hostname, terminal, keys, and SE Linux context.
-x, --executableexecutable
Search for an event matching the given executable name.